Input validation error in js-bson

#VU36925 Input validation error in js-bson

Published: 2018-07-10 | Updated: 2020-08-08

Vulnerability identifier: #VU36925

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13863

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
js-bson
Web applications / JS libraries

Vendor: MongoDB, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

Mitigation
Install update from vendor's website.

Vulnerable software versions

js-bson: 0.5.0 - 1.0.4

External links
http://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a
http://snyk.io/vuln/npm:bson:20180225

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in MongoDB, js-bson