CVE-2020-7610

NameCVE-2020-7610
DescriptionAll versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-mongodb (PTS)buster3.1.13+~3.1.11-2+deb10u1fixed
bullseye3.6.4+~cs11.13.19-1fixed
sid, bookworm3.6.4+~cs11.13.19-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-mongodbsourceexperimental3.5.5+~cs11.12.19-1
node-mongodbsourcebuster3.1.13+~3.1.11-2+deb10u1
node-mongodbsource(unstable)3.5.6+~cs11.12.19-1

Notes

Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
https://snyk.io/vuln/SNYK-JS-BSON-561052
https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8

Search for package or bug name: Reporting problems