487166 – (CVE-2013-1892) <dev-db/mongodb-{2.2.4,2.4.5}: Two RCE vulnerabilities (CVE-2013-{1892,3969})

Bug 487166 (CVE-2013-1892) - <dev-db/mongodb-{2.2.4,2.4.5}: Two RCE vulnerabilities (CVE-2013-{1892,3969})

Summary: <dev-db/mongodb-{2.2.4,2.4.5}: Two RCE vulnerabilities (CVE-2013-{1892,3969})

Status:	RESOLVED FIXED

Alias:	CVE-2013-1892

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-10-07 00:04 UTC by GLSAMaker/CVETool Bot
Modified:	2013-10-07 00:06 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2013-10-07 00:04:22 UTC

CVE-2013-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3969):
  The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4
  allows remote authenticated users to cause a denial of service
  (uninitialized pointer dereference and server crash) or possibly execute
  arbitrary code via an invalid RefDB object.

CVE-2013-1892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1892):
  MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate
  requests to the nativeHelper function in SpiderMonkey, which allows remote
  authenticated users to cause a denial of service (invalid memory access and
  server crash) or execute arbitrary code via a crafted memory address in the
  first argument.

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2013-10-07 00:06:15 UTC

Fixed versions have already been in the tree and vulnerable versions have been dropped. Closing noglsa.