Bug 1222492 (CVE-2024-21506)

Summary: VUL-0: CVE-2024-21506: python-pymongo: out-of-bounds read in the BSON module
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, daniel.garcia, dmueller, doreilly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400553/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-21506:5.4:(AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-08 18:04:44 UTC 
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21506
https://www.cve.org/CVERecord?id=CVE-2024-21506
https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03
https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2
https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597
https://bugzilla.redhat.com/show_bug.cgi?id=2273859
Comment 6 OBSbugzilla Bot 2024-05-07 08:05:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1222492) was mentioned in
https://build.opensuse.org/request/show/1172342 Factory / python-pymongo
Comment 8 Maintenance Automation 2024-05-09 12:30:10 UTC 
SUSE-SU-2024:1571-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222492
CVE References: CVE-2024-21506
Maintenance Incident: [SUSE:Maintenance:33727](https://smelt.suse.de/incident/33727/)
Sources used:
openSUSE Leap 15.3 (src):
 python-pymongo-3.11.0-150300.3.3.1
openSUSE Leap 15.5 (src):
 python-pymongo-3.11.0-150300.3.3.1
SUSE Package Hub 15 15-SP5 (src):
 python-pymongo-3.11.0-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Daniel Garcia 2024-05-13 06:56:09 UTC 
Reassigning to security team, request was sent to all affected codestreams.
Comment 11 Camila Camargo de Matos 2024-06-05 17:12:06 UTC 
As per the NVD page [0], this CVE was REJECTED as it was a duplicate of CVE-2024-5629. Due to this, I will be marking this bug as a duplicate as well.

[0] https://nvd.nist.gov/vuln/detail/CVE-2024-21506

*** This bug has been marked as a duplicate of bug 1226013 ***
Comment 12 Maintenance Automation 2024-06-13 16:30:11 UTC 
SUSE-SU-2024:1571-2: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222492
CVE References: CVE-2024-21506
Maintenance Incident: [SUSE:Maintenance:33727](https://smelt.suse.de/incident/33727/)
Sources used:
openSUSE Leap 15.6 (src):
 python-pymongo-3.11.0-150300.3.3.1
SUSE Package Hub 15 15-SP6 (src):
 python-pymongo-3.11.0-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.