Описание
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-mongodb | fixed | 3.5.5+~cs11.12.19-1 | experimental | package |
| node-mongodb | fixed | 3.5.6+~cs11.12.19-1 | package | |
| node-mongodb | fixed | 3.1.13+~3.1.11-2+deb10u1 | buster | package |
Примечания
Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
https://snyk.io/vuln/SNYK-JS-BSON-561052
https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8
Связанные уязвимости
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Уязвимость функции _bsotype программного пакета для парсинга BSON, позволяющая нарушителю выполнить произвольный код