CVE-2024-5629 — pymongo - security update

Description

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

How to fix CVE-2024-5629

To remediate CVE-2024-5629, upgrade the affected package to a fixed version below.

Debian/pymongo—upgrade to 3.11.0-1+deb11u1 or later
—upgrade to 3.7.1-1.1+deb10u1 or later
—upgrade to 3.11.0-1+deb11u1 or later
—upgrade to 4.6.3 or later

Is CVE-2024-5629 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 3.11.0-1+deb11u1
from 0, < 3.7.1-1.1+deb10u1
from 0, < 3.11.0-1+deb11u1
from 0, < 4.6.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-5629
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-5629
PATCHgithub.com/mongodb/mongo-python-driver
WEBgist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03