Lucene search

GoogleOSV:GHSA-H6RJ-8R3C-9GPJ

HistoryMar 05, 2018 - 7:43 p.m.

bson is vulnerable to denial of service due to incorrect regex validation

2018-03-0519:43:21

Google

osv.dev

0.014 Low

EPSS

Percentile

86.4%

JSON

BSON injection vulnerability in the legal function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

CPENameOperatorVersion
bsoneq1.8.0
bsoneq1.8.4
bsoneq1.1.3
bsoneq1.0.2
bsoneq1.5.2
bsoneq3.0.3
bsoneq1.2.3
bsoneq1.8.1.rc0
bsoneq1.2.1
bsoneq3.0.2

Name	Operator	Version
bson	eq	1.8.0
bson	eq	1.8.4
bson	eq	1.1.3
bson	eq	1.0.2
bson	eq	1.5.2
bson	eq	3.0.3
bson	eq	1.2.3
bson	eq	1.8.1.rc0
bson	eq	1.2.1
bson	eq	3.0.2

Rows per page:

1-10 of 831

References

sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

www.openwall.com/lists/oss-security/2015/06/06/3

www.securityfocus.com/bid/75045

bugzilla.redhat.com/show_bug.cgi?id=1229750

github.com/advisories/GHSA-h6rj-8r3c-9gpj

github.com/mongodb/bson-ruby

github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999

github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7

github.com/rubysec/ruby-advisory-db/blob/master/gems/bson/CVE-2015-4412.yml

nvd.nist.gov/vuln/detail/CVE-2015-4412