Improper input validation in BSON Ruby driver

#VU11131 Improper input validation in BSON Ruby driver

Published: 2018-03-16 | Updated: 2018-03-26

Vulnerability identifier: #VU11131

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4412

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BSON Ruby driver
Universal components / Libraries / Libraries used by multiple products

Vendor: MongoDB, Inc.

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition or inject arbitrary data on the target system.

The weakness exists in the legal? function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted string, cause the service to crash or inject arbitrary data.

Mitigation
Update to version 3.0.4.

Vulnerable software versions

BSON Ruby driver: 3.0 - 3.0.3

External links
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Mongo BSON