oss-sec mailing list archives
Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)
From: cve-assign () mitre org
Date: Tue, 7 Jan 2014 17:15:11 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There is a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length. I guess that under most deployments this does not cross a security boundary, but for some it could (differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable).
Use CVE-2012-6619. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzHs8AAoJEKllVAevmvmssI8H/3aRWpV8sFg4JI7QNRtvaFKx vabdt8Yy97/6Yiaa3GbB7UzbI4YSBkMC00ikwG9urbbOden7FWgGZx94EbAn0jag v+EnbYkHp2eNBR69c9C1px76hYSAi2SimsqSaJEzkRvWGz8xRhF1L7FuUZPaw7x0 lBpG9gxxaLfrBDPpwAV5WKsSU4vxOqNIoJV17onVCe7eihRbY8THn6raCUUtNIYt ZUPLqoijx5ZwWuz7F+W8BxV9m27kXuU7F/vWv4U6FBGg3O/2aBCGId/GNTgXvjVJ VIupOHBtynG1flDmtXyPsnXNChGZGhJe7RuRoUkEDb7DWKazyQpjvxTGciOAHg8= =dzbh -----END PGP SIGNATURE-----
Current thread:
- [HITB-Announce] HITB Magazine Issue 10 Out Now Hafez Kamal (Jan 06)
- MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now) Solar Designer (Jan 06)
- Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now) cve-assign (Jan 07)
- MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now) Solar Designer (Jan 06)