GHSA-v8w9-2789-6hhr

Source

https://github.com/advisories/GHSA-v8w9-2789-6hhr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-v8w9-2789-6hhr/GHSA-v8w9-2789-6hhr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v8w9-2789-6hhr

Aliases

CVE-2020-7610

Published

2021-05-07T16:04:54Z

Modified

2025-01-14T08:57:20.736532Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in bson

Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed_at": "2021-05-06T23:40:10Z",
    "nvd_published_at": "2020-03-30T19:15:00Z",
    "severity": "CRITICAL"
}

References

Affected packages

npm / bson

Package

Name: bson; View open source insights on deps.dev
Purl: pkg:npm/bson

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.4