#VU36925 Input validation error in js-bson - CVE-2018-13863

Cybersecurity Help s.r.o.

Published: 2018-07-10 | Updated: 2020-08-08

Vulnerability identifier: #VU36925

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-13863

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
js-bson
Web applications / JS libraries

Vendor: MongoDB, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

Mitigation
Install update from vendor's website.

Vulnerable software versions

js-bson: 0.5.0 - 1.0.4

External links
https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a
https://snyk.io/vuln/npm:bson:20180225

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in MongoDB, js-bson