Bug 1222492 (CVE-2024-21506) - VUL-0: CVE-2024-21506: python-pymongo: out-of-bounds read in the BSON module
Summary: VUL-0: CVE-2024-21506: python-pymongo: out-of-bounds read in the BSON module
Status: RESOLVED DUPLICATE of bug 1226013
Alias: CVE-2024-21506
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/400553/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-21506:5.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-08 18:04 UTC by SMASH SMASH
Modified: 2024-06-13 16:30 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-08 18:04:44 UTC 
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21506
https://www.cve.org/CVERecord?id=CVE-2024-21506
https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03
https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2
https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597
https://bugzilla.redhat.com/show_bug.cgi?id=2273859
Comment 6 OBSbugzilla Bot 2024-05-07 08:05:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1222492) was mentioned in
https://build.opensuse.org/request/show/1172342 Factory / python-pymongo
Comment 8 Maintenance Automation 2024-05-09 12:30:10 UTC 
SUSE-SU-2024:1571-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222492
CVE References: CVE-2024-21506
Maintenance Incident: [SUSE:Maintenance:33727](https://smelt.suse.de/incident/33727/)
Sources used:
openSUSE Leap 15.3 (src):
 python-pymongo-3.11.0-150300.3.3.1
openSUSE Leap 15.5 (src):
 python-pymongo-3.11.0-150300.3.3.1
SUSE Package Hub 15 15-SP5 (src):
 python-pymongo-3.11.0-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Daniel Garcia 2024-05-13 06:56:09 UTC 
Reassigning to security team, request was sent to all affected codestreams.
Comment 11 Camila Camargo de Matos 2024-06-05 17:12:06 UTC 
As per the NVD page [0], this CVE was REJECTED as it was a duplicate of CVE-2024-5629. Due to this, I will be marking this bug as a duplicate as well.

[0] https://nvd.nist.gov/vuln/detail/CVE-2024-21506

*** This bug has been marked as a duplicate of bug 1226013 ***
Comment 12 Maintenance Automation 2024-06-13 16:30:11 UTC 
SUSE-SU-2024:1571-2: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222492
CVE References: CVE-2024-21506
Maintenance Incident: [SUSE:Maintenance:33727](https://smelt.suse.de/incident/33727/)
Sources used:
openSUSE Leap 15.6 (src):
 python-pymongo-3.11.0-150300.3.3.1
SUSE Package Hub 15 15-SP6 (src):
 python-pymongo-3.11.0-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.