CVE-2023-0437 - Vulnerability Details - OpenCVE

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mongodb	C Driver

Configuration 1 [-]

cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*

No data.

References

Link	Providers
https://jira.mongodb.org/browse/CDRIVER-4747
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/

History

Thu, 13 Feb 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description	When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.	When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2024-01-12T13:33:39.503Z

Updated: 2025-02-13T16:38:57.696Z

Reserved: 2023-01-23T11:11:02.350Z

Link: CVE-2023-0437

Vulnrichment

Updated: 2024-08-02T05:10:56.230Z

NVD

Status : Modified

Published: 2024-01-12T14:15:47.387

Modified: 2025-02-13T17:15:55.057

Link: CVE-2023-0437

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0437", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2023-01-23T11:11:02.350Z", "datePublished": "2024-01-12T13:33:39.503Z", "dateUpdated": "2025-02-13T16:38:57.696Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB C Driver", "vendor": "MongoDB Inc", "versions": [{"lessThan": "1.25.0", "status": "affected", "version": "1.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "selmelc"}], "datePublic": "2024-01-12T14:13:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When calling <tt>bson_utf8_validate</tt> on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.</p>"}], "value": "When calling bson_utf8_validate\u00a0on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-24T03:06:26.169Z"}, "references": [{"url": "https://jira.mongodb.org/browse/CDRIVER-4747"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/"}], "source": {"discovery": "EXTERNAL"}, "title": "MongoDB client C Driver may infinitely loop when validating certain BSON input data", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.230Z"}, "title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/CDRIVER-4747", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "mongodb", "product": "c_driver", "cpes": ["cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.25.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-17T17:59:44.056559Z", "id": "CVE-2023-0437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T16:58:13.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/CDRIVER-4747", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.230Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-0437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-17T17:59:44.056559Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*"], "vendor": "mongodb", "product": "c_driver", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T16:58:06.568Z"}}], "cna": {"title": "MongoDB client C Driver may infinitely loop when validating certain BSON input data", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "selmelc"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB C Driver", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.25.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2024-01-12T14:13:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/CDRIVER-4747"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "When calling bson_utf8_validate\u00a0on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.", "supportingMedia": [{"type": "text/html", "value": "<p>When calling <tt>bson_utf8_validate</tt> on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-24T03:06:26.169Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0437", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:38:57.696Z", "dateReserved": "2023-01-23T11:11:02.350Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2024-01-12T13:33:39.503Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*", "matchCriteriaId": "82F06E2D-CEA4-4506-A89D-50D8E6551222", "versionEndExcluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When calling bson_utf8_validate\u00a0on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0."}, {"lang": "es", "value": "Al llamar a bson_utf8_validate en algunas entradas puede ocurrir un bucle con una condici\u00f3n de salida que no se puede alcanzar, es decir, un bucle infinito. Este problema afecta a All MongoDB C Driver anteriores a la versi\u00f3n 1.25.0."}], "id": "CVE-2023-0437", "lastModified": "2025-02-13T17:15:55.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-12T14:15:47.387", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/CDRIVER-4747"}, {"source": "cna@mongodb.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/CDRIVER-4747"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}