Bug 1820136 (CVE-2020-7610) - CVE-2020-7610 bson: Deserialization of Untrusted Data could result in Code injection or Excessive CPU load
Summary: CVE-2020-7610 bson: Deserialization of Untrusted Data could result in Code i...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-7610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-02 10:45 UTC by Michael Kaplan
Modified: 2021-02-16 20:19 UTC (History)
12 users (show)

Fixed In Version: bson 1.1.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-20 22:31:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2020-04-02 10:45:50 UTC 
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Comment 1 Michael Kaplan 2020-04-02 10:45:57 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-BSON-561052
Comment 2 Chess Hazlett 2020-04-20 16:51:00 UTC 
This report from snyk.io concerns nodejs/npm's implementation of bson (vertx and fuse both use mongodb's java impl, so it's notaffected). manifests suggest that while fedora ships the nodejs impl of bson, the version they ship is older than the affected version.

@mkaplan: should this have had a task associated with it?
Comment 3 Product Security DevOps Team 2020-04-20 22:31:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7610
Comment 4 Michael Kaplan 2020-04-22 08:34:59 UTC 
@chazlett: yes, it should.
Note You need to log in before you can comment on or make changes to this bug.