Internal Property Tampering in bson

Do your applications use this vulnerable package? Test your applications

Overview

bson is a BSON Parser for node and browser.

Affected versions of this package are vulnerable to Internal Property Tampering. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Remediation

Upgrade bson to version 1.1.4 or higher.

References

GitHub Commit
Release Note

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

Credit: xiaofen9
CVE: CVE-2019-2391 CVE-2020-7610
CWE: CWE-642
Snyk ID: SNYK-JS-BSON-561052
Disclosed: 24 Mar, 2020
Published: 24 Mar, 2020

Internal Property Tampering
Affecting bson package, versions >=1.0.0 <1.1.4

Overview

Remediation

References

CVSS Score

Internal Property Tampering Affecting bson package, versions >=1.0.0 <1.1.4

Overview

Remediation

References

Internal Property Tampering
Affecting bson package, versions >=1.0.0 <1.1.4