| Vulnerability Name: | CVE-2020-7610 (CCN-178711) | ||||||||||||
| Assigned: | 2020-03-24 | ||||||||||||
| Published: | 2020-03-24 | ||||||||||||
| Updated: | 2020-04-01 | ||||||||||||
| Summary: | All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | ||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-502 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-7610 Source: XF Type: UNKNOWN bson-cve20207610-code-exec(178711) Source: CCN Type: js-bson GIT Repository fix: throw if invalid _bsontype is detected Source: CCN Type: SNYK-JS-BSON-561052 Deserialization of Untrusted Data Source: MISC Type: Patch, Third Party Advisory https://snyk.io/vuln/SNYK-JS-BSON-561052 Source: CCN Type: NPM Web site bson | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||