Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7260

More strictly validate connection strings from untrusted sources

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 1.42.1
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Environment:
      OS:
      node.js / npm versions:
      Additional info:
    • 5
    • Not Needed
    • Iteration Lambeosaurus, Iteration Minmi, Iteration Nodosaurus, Iteration Pterodactyl, Iteration Triceratops, Iteration Triceratops 1, Iteration Utahraptor

      CVE ID: 

      CVE-2024-3371

      Title:

      Insufficient validation of external input in Compass may enable MITM attacks

      Description:

      MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.42.0.

      CVSS Score:

      This issue's CVSS:3.1 severity is scored at 7.1 using the following scoring metrics:

      CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

      List all affected product versions:

      MongoDB Compass versions 1.35.0 to 1.42.0

      CWE:         
      CWE-360: Trust of System Event Data

      Is a fixed version available:

      COMPASS-7260.

            Assignee:
            sergey.petushkov@mongodb.com Sergey Petushkov
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: