Deserialization of Untrusted Data in js-bson

#VU30319 Deserialization of Untrusted Data in js-bson

Published: 2020-03-31 | Updated: 2020-07-17

Vulnerability identifier: #VU30319

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2391

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
js-bson
Web applications / JS libraries

Vendor: MongoDB, Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.

Mitigation
Install update from vendor's website.

Vulnerable software versions

js-bson: 1.1.0 - 1.1.3

External links
http://github.com/mongodb/js-bson/releases/tag/v1.1.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Deserialization of Untrusted Data in MongoDB, js-bson