CVE-2024-6382

Published Jul 2, 2024

Last updated 7 months ago

CVSS medium 6.4

MongoDB

Rust

Overview

Description: Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2
Source: cna@mongodb.com
NVD status: Analyzed
Products: rust_driver

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH

Weaknesses

cna@mongodb.com: CWE-228

Hype score: Not currently trending

My writeup for the KalmarCTF challenge "no sqli" is out, covering the exploitation of CVE-2024-6382, an integer overflow in the Rust's MongoDB library. A very interesting challenge, enjoy! :) https://t.co/2ilHVAZXmr
@_Worty
17 Mar 2025
6471 Impressions
26 Retweets
145 Likes
42 Bookmarks
1 Reply
1 Quote

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mongodb:rust_driver:*:*:*:*:*:mongodb:*:*",
            "matchCriteriaId": "4A0DC731-594D-402E-BDF6-650A7A8FBC80",
            "versionEndExcluding": "2.8.2",
            "versionStartIncluding": "2.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References