oss-sec mailing list archives

CVE Request: bson-ruby DoS and possible injection

From: Phill MV <phillmv () state io>
Date: Fri, 5 Jun 2015 17:58:14 -0700

Hi,

Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as
seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Could we please get a CVE?

By submitting a specially crafted string to a service relying on the bson
rubygem, an attacker may trigger denials of service or even inject data
into victim's MongoDB instances.

Users are advised to update to versions >= 3.0.4 of the `bson` rubygem.
Relevant commits can be seen here:
https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7

Thanks!,
-- 
Phillip Mendonça-Vieira
@phillmv <http://twitter.com/phillmv>

Current thread:

CVE Request: bson-ruby DoS and possible injection Phill MV (Jun 05)
- Re: CVE Request: bson-ruby DoS and possible injection cve-assign (Jun 06)