mongodb-2.2.36.tgz: 2 vulnerabilities (highest severity is: 9.8) [main] #29
Description
📂 Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Path to dependency file: /package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2020-7610 | 🟣 Critical | 9.8 | Not Defined | < 1% | bson-1.0.9.tgz | Transitive | N/A | ❌ | |
| WS-2019-0311 | 🟠 Medium | 6.5 | N/A | N/A | mongodb-2.2.36.tgz | Direct | mongodb - 3.1.13 | ✅ |
Details
🟣CVE-2020-7610
Vulnerable Library - bson-1.0.9.tgz
A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- mongodb-2.2.36.tgz (Root Library)
- mongodb-core-2.1.20.tgz
- ❌ bson-1.0.9.tgz (Vulnerable Library)
- mongodb-core-2.1.20.tgz
Vulnerability Details
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: Mar 30, 2020 06:28 PM
URL: CVE-2020-7610
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-v8w9-2789-6hhr
Release Date: Mar 30, 2020 06:28 PM
Fix Resolution : bson - 1.1.4,https://github.com/mongodb/js-bson.git - no_fix
🟠WS-2019-0311
Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ mongodb-2.2.36.tgz (Vulnerable Library)
Vulnerability Details
In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.
Publish Date: Jan 23, 2019 05:51 PM
URL: WS-2019-0311
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1203
Release Date: Jan 23, 2019 05:51 PM
Fix Resolution : mongodb - 3.1.13