CVE-2024-6376 — ejson shell parser in MongoDB Compass maybe bypassed

Description

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.

How to fix CVE-2024-6376

To remediate CVE-2024-6376, upgrade the affected package to a fixed version below.

—upgrade to 1.20.1 or later

Is CVE-2024-6376 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.20.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-6376
PATCHgithub.com/mongodb-js/compass
WEBgithub.com/mongodb-js/compass/commit/b1f8050d49d66be3bc499cb317a1e1de45390e51
WEBjira.mongodb.org/browse/COMPASS-7496