Description
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Affected Package
Related
{"id": "DEBIANCVE:CVE-2020-7610", "vendorId": null, "type": "debiancve", "bulletinFamily": "info", "title": "CVE-2020-7610", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "published": "2020-03-30T19:15:00", "modified": "2020-03-30T19:15:00", "epss": [{"cve": "CVE-2020-7610", "epss": 0.00349, "percentile": 0.67639, "modified": "2023-05-27"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://security-tracker.debian.org/tracker/CVE-2020-7610", "reporter": "Debian Security Bug Tracker", "references": [], "cvelist": ["CVE-2020-7610"], "immutableFields": [], "lastseen": "2023-05-27T15:15:23", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-7610"]}, {"type": "github", "idList": ["GHSA-V8W9-2789-6HHR"]}, {"type": "nodejs", "idList": ["NODEJS:1686"]}, {"type": "osv", "idList": ["OSV:GHSA-V8W9-2789-6HHR"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-7610"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-7610"]}, {"type": "veracode", "idList": ["VERACODE:22833"]}]}, "score": {"value": 8.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-7610"]}, {"type": "github", "idList": ["GHSA-V8W9-2789-6HHR"]}, {"type": "nodejs", "idList": ["NODEJS:1686"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-7610"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-7610"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-7610", "epss": 0.00349, "percentile": 0.67535, "modified": "2023-05-02"}], "vulnersScore": 8.9}, "_state": {"dependencies": 1685214608, "score": 1685201317, "epss": 0}, "_internal": {"score_hash": "1120f847401e93e5718da870d67b37b8"}, "affectedPackage": [{"OS": "Debian", "OSVersion": "12", "arch": "all", "packageFilename": "node-mongodb_3.5.6+~cs11.12.19-1_all.deb", "packageVersion": "3.5.6+~cs11.12.19-1", "operator": "lt", "status": "resolved", "packageName": "node-mongodb"}, {"OS": "Debian", "OSVersion": "11", "arch": "all", "packageFilename": "node-mongodb_3.5.6+~cs11.12.19-1_all.deb", "packageVersion": "3.5.6+~cs11.12.19-1", "operator": "lt", "status": "resolved", "packageName": "node-mongodb"}, {"OS": "Debian", "OSVersion": "10", "arch": "all", "packageFilename": "node-mongodb_3.1.13+~3.1.11-2+deb10u1_all.deb", "packageVersion": "3.1.13+~3.1.11-2+deb10u1", "operator": "lt", "status": "resolved", "packageName": "node-mongodb"}, {"OS": "Debian", "OSVersion": "999", "arch": "all", "packageFilename": "node-mongodb_3.5.6+~cs11.12.19-1_all.deb", "packageVersion": "3.5.6+~cs11.12.19-1", "operator": "lt", "status": "resolved", "packageName": "node-mongodb"}]}
{"nodejs": [{"lastseen": "2021-07-28T14:37:03", "description": "## Overview\n\nVersions of `bson` before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.\n\n## Recommendation\n\nUpgrade to version 1.1.4 or later\n\n## References\n\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7610)\n- [GitHub Advisory](https://github.com/advisories/GHSA-v8w9-2789-6hhr)", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-07T16:07:11", "type": "nodejs", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2021-05-07T16:13:54", "id": "NODEJS:1686", "href": "https://www.npmjs.com/advisories/1686", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T11:52:32", "description": "bson is vulnerable to deserialization of untrusted object. The vulnerability exists as it does not properly check the values of `_bsontype`, allowing the value to be skipped.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-31T06:02:14", "type": "veracode", "title": "Deserialization Of Untrusted Object", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-10-13T12:49:27", "id": "VERACODE:22833", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22833/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-03-30T23:03:14", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T16:04:54", "type": "osv", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-03-30T22:46:24", "id": "OSV:GHSA-V8W9-2789-6HHR", "href": "https://osv.dev/vulnerability/GHSA-v8w9-2789-6hhr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-05-27T15:15:57", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T16:04:54", "type": "github", "title": "Deserialization of Untrusted Data in bson", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-03-30T22:46:25", "id": "GHSA-V8W9-2789-6HHR", "href": "https://github.com/advisories/GHSA-v8w9-2789-6hhr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T15:04:39", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T19:15:00", "type": "cve", "title": "CVE-2020-7610", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-04-01T19:47:00", "cpe": [], "id": "CVE-2020-7610", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "ubuntucve": [{"lastseen": "2023-05-27T13:37:58", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of\nUntrusted Data. The package will ignore an unknown value for an object's\n_bsotype, leading to cases where an object is serialized as a document\nrather than the intended BSON type.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | The github patch link from snyk.io shows a diff with 'serializer.js', but the description is for Deserialization. I don't know if this is intentoinal or not.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "ubuntucve", "title": "CVE-2020-7610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2020-03-30T00:00:00", "id": "UB:CVE-2020-7610", "href": "https://ubuntu.com/security/CVE-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-05-27T17:19:42", "description": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-02T11:01:28", "type": "redhatcve", "title": "CVE-2020-7610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7610"], "modified": "2023-04-06T07:59:02", "id": "RH:CVE-2020-7610", "href": "https://access.redhat.com/security/cve/cve-2020-7610", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-7610
