CVE-2015-4411

7.5HIGH

Key Information:

Vendor: Mongodb
Status: Bson
Vendor: CVE Published:; 20 February 2020

Summary

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410.

References

https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

x_refsource_MISC

https://homakov.blogspot.ru/2012/05/saferweb-injects-in-v...

x_refsource_MISC

http://lists.fedoraproject.org/pipermail/package-announce...

x_refsource_MISC

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 20, 2020
Vulnerability Reserved
Jun 6, 2015

.