Denial of Service Vulnerability in MongoDB BSON Ruby by Moped
CVE-2015-4411

7.5HIGH

Key Information:

Vendor
Mongodb
Status
Bson
Vendor
CVE Published:
20 February 2020

Summary

The Moped::BSON::ObjecId.legal? method in the mongoid/moped library, prior to version 3.0.4, is susceptible to crafted input that could lead to resource exhaustion. This vulnerability allows remote attackers to exploit the method, resulting in a denial of service by consuming worker resources. This was reported as a result of an incomplete fix related to a previous vulnerability (CVE-2015-4410).

References

https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
x_refsource_MISC
https://homakov.blogspot.ru/2012/05/saferweb-injects-in-v...
x_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.