📂 Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2020-7610 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
bson-1.0.9.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| WS-2019-0311 |
🟠 Medium |
6.5 |
N/A |
N/A |
mongodb-2.2.36.tgz |
Direct |
mongodb - 3.1.13 |
✅ |
Reachable |
Details
🟣CVE-2020-7610
Vulnerable Library - bson-1.0.9.tgz
A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- mongodb-2.2.36.tgz (Root Library)
- mongodb-core-2.1.20.tgz
- ❌ bson-1.0.9.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- owasp-nodejs-goat-1.3.0/server.js (Application)
- mongodb-2.2.36/index.js (Extension)
- mongodb-core-2.1.20/index.js (Extension)
- bson-1.0.9/index.js (Extension)
- bson-1.0.9/lib/bson/bson.js (Extension)
-> ❌ bson-1.0.9/lib/bson/parser/serializer.js (Vulnerable Component)
Vulnerability Details
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: Mar 30, 2020 06:28 PM
URL: CVE-2020-7610
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v8w9-2789-6hhr
Release Date: Mar 30, 2020 06:28 PM
Fix Resolution : bson - 1.1.4
🟠WS-2019-0311
Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ mongodb-2.2.36.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- owasp-nodejs-goat-1.3.0/server.js (Application)
- mongodb-2.2.36/index.js (Extension)
- mongodb-2.2.36/lib/collection.js (Extension)
- mongodb-2.2.36/lib/bulk/ordered.js (Extension)
-> ❌ mongodb-2.2.36/lib/bulk/common.js (Vulnerable Component)
Vulnerability Details
In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.
Publish Date: Jan 23, 2019 05:51 PM
URL: WS-2019-0311
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1203
Release Date: Jan 23, 2019 05:51 PM
Fix Resolution : mongodb - 3.1.13
📂 Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Path to dependency file: /package.json
Findings
Details
🟣CVE-2020-7610
Vulnerable Library - bson-1.0.9.tgz
A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: Mar 30, 2020 06:28 PM
URL: CVE-2020-7610
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v8w9-2789-6hhr
Release Date: Mar 30, 2020 06:28 PM
Fix Resolution : bson - 1.1.4
🟠WS-2019-0311
Vulnerable Library - mongodb-2.2.36.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.
Publish Date: Jan 23, 2019 05:51 PM
URL: WS-2019-0311
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1203
Release Date: Jan 23, 2019 05:51 PM
Fix Resolution : mongodb - 3.1.13