CVE-2015-4411

HIGH

Mongodb Bson < 3.0.4 - Denial of Service

Title source: rule
STIX 2.1

Description

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410.

References (14)

Core 14
Core References
Exploit, Third Party Advisory x_refsource_misc
https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
Exploit, Third Party Advisory x_refsource_misc
https://homakov.blogspot.ru/2012/05/saferweb-injects-in-various-ruby.html
Mailing List, Third Party Advisory x_refsource_misc
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161987.html
Mailing List, Third Party Advisory x_refsource_misc
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161964.html
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2015/06/06/3
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/75045
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1229706
Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/oss-sec/2015/q2/653
Third Party Advisory, VDB Entry x_refsource_misc
https://www.securityfocus.com/bid/75045
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2015-4411

Scores

CVSS v3 7.5
EPSS 0.0353
EPSS Percentile 87.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (4)
fedoraproject/fedora 21
fedoraproject/fedora 22
mongodb/bson < 3.0.4
rubygems/bson 0 - 3.0.4RubyGems
Published Feb 20, 2020
Tracked Since Feb 18, 2026