PT-2018-12230 · Mongodb · Mongodb Bson Javascript Module

James Davis

Publicado

2018-07-10

Atualizado

2019-10-03

CVE-2018-13863

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions MongoDB bson JavaScript module versions 0.5.0 through 1.0.4

Description The issue is related to a Regular Expression Denial of Service (ReDoS) in the lib/bson/decimal128.js file. It occurs when the Decimal128.fromString() function is used to parse a long untrusted string.

Recommendations For MongoDB bson JavaScript module versions 0.5.0 through 1.0.4, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the input to the Decimal128.fromString() function to prevent parsing of long untrusted strings.

Exploit

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-185CWE-400

Identificadores relacionados

CVE-2018-13863

GHSA-8462-Q7X7-G2X4

Produtos afetados

Mongodb Bson Javascript Module

PT-2018-12230 · Mongodb · Mongodb Bson Javascript Module

CVE-2018-13863

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12