Description
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Affected Software
Related
{"id": "CVE-2020-7610", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-7610", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "published": "2020-03-30T19:15:00", "modified": "2020-04-01T19:47:00", "epss": [{"cve": "CVE-2020-7610", "epss": 0.00349, "percentile": 0.67639, "modified": "2023-05-27"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7610", "reporter": "report@snyk.io", "references": ["https://snyk.io/vuln/SNYK-JS-BSON-561052"], "cvelist": ["CVE-2020-7610"], "immutableFields": [], "lastseen": "2023-05-27T15:04:39", "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-7610"]}, {"type": "github", "idList": ["GHSA-V8W9-2789-6HHR"]}, {"type": "nodejs", "idList": ["NODEJS:1686"]}, {"type": "osv", "idList": ["OSV:GHSA-V8W9-2789-6HHR"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-7610"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-7610"]}, {"type": "veracode", "idList": ["VERACODE:22833"]}]}, "score": {"value": 4.8, "vector": "NONE"}, "twitter": {"counter": 2, "tweets": [{"link": "https://twitter.com/vigilance_en/status/1392527253469270026", "text": "Vigil@nce /hashtag/Vulnerability?src=hashtag_click of Node.js bson: code execution via Deserialization. https://t.co/z8LRCfHJzU?amp=1 Identifiers: /hashtag/CVE?src=hashtag_click-2020-7610. /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/vigilance_fr/status/1392527249656668169", "text": "Vigil@nce /hashtag/Vuln\u00e9rabilit\u00e9?src=hashtag_click de Node.js bson : ex\u00e9cution de code via Deserialization. https://t.co/SOo7eaCPMs?amp=1 R\u00e9f\u00e9rences : /hashtag/CVE?src=hashtag_click-2020-7610. /hashtag/infosec?src=hashtag_click"}], "modified": "2021-04-23T01:09:48"}, "backreferences": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-7610"]}, {"type": "github", "idList": ["GHSA-V8W9-2789-6HHR"]}, {"type": "nodejs", "idList": ["NODEJS:1686"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-7610"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-7610"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "mongodb bson", "version": 1}]}, "epss": [{"cve": "CVE-2020-7610", "epss": 0.00349, "percentile": 0.67541, "modified": "2023-05-07"}], "vulnersScore": 4.8}, "_state": {"dependencies": 1685204855, "score": 1685199920, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "1120f847401e93e5718da870d67b37b8"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-502"], "affectedSoftware": [{"cpeName": "mongodb:bson", "version": "1.1.4", "operator": "lt", "name": "mongodb bson"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:mongodb:bson:1.1.4:*:*:*:*:node.js:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.1.4", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://snyk.io/vuln/SNYK-JS-BSON-561052", "name": "https://snyk.io/vuln/SNYK-JS-BSON-561052", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}], "product_info": [{"vendor": "Mongodb", "product": "Bson"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "Deserialization of Untrusted Data", "lang": "en", "type": "text"}]}], "exploits": []}
{"nodejs": [{"lastseen": "2021-07-28T14:37:03", "description": "## Overview\n\nVersions of `bson` before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.\n\n## Recommendation\n\nUpgrade to version 1.1.4 or later\n\n## References\n\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7610)\n- [GitHub Advisory](https://github.com/advisories/GHSA-v8w9-2789-6hhr)", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-07T16:07:11", "type": "nodejs", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2021-05-07T16:13:54", "id": "NODEJS:1686", "href": "https://www.npmjs.com/advisories/1686", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T11:52:32", "description": "bson is vulnerable to deserialization of untrusted object. The vulnerability exists as it does not properly check the values of `_bsontype`, allowing the value to be skipped.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-31T06:02:14", "type": "veracode", "title": "Deserialization Of Untrusted Object", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-10-13T12:49:27", "id": "VERACODE:22833", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22833/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-03-30T23:03:14", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T16:04:54", "type": "osv", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-03-30T22:46:24", "id": "OSV:GHSA-V8W9-2789-6HHR", "href": "https://osv.dev/vulnerability/GHSA-v8w9-2789-6hhr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-05-27T15:15:57", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T16:04:54", "type": "github", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-03-30T22:46:25", "id": "GHSA-V8W9-2789-6HHR", "href": "https://github.com/advisories/GHSA-v8w9-2789-6hhr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-05-27T13:37:58", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of\nUntrusted Data. The package will ignore an unknown value for an object's\n_bsotype, leading to cases where an object is serialized as a document\nrather than the intended BSON type.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | The github patch link from snyk.io shows a diff with 'serializer.js', but the description is for Deserialization. I don't know if this is intentoinal or not.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "ubuntucve", "title": "CVE-2020-7610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-03-30T00:00:00", "id": "UB:CVE-2020-7610", "href": "https://ubuntu.com/security/CVE-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-05-27T15:15:23", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T19:15:00", "type": "debiancve", "title": "CVE-2020-7610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-03-30T19:15:00", "id": "DEBIANCVE:CVE-2020-7610", "href": "https://security-tracker.debian.org/tracker/CVE-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-05-27T17:19:42", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-02T11:01:28", "type": "redhatcve", "title": "CVE-2020-7610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-04-06T07:59:02", "id": "RH:CVE-2020-7610", "href": "https://access.redhat.com/security/cve/cve-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-7610
