PT-2018-12230 · Mongodb · Mongodb Bson Javascript Module

James Davis

Published

2018-07-10

Updated

2019-10-03

CVE-2018-13863

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions MongoDB bson JavaScript module versions 0.5.0 through 1.0.4

Description The issue is related to a Regular Expression Denial of Service (ReDoS) in the lib/bson/decimal128.js file. It occurs when the Decimal128.fromString() function is used to parse a long untrusted string.

Recommendations For MongoDB bson JavaScript module versions 0.5.0 through 1.0.4, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the input to the Decimal128.fromString() function to prevent parsing of long untrusted strings.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-185CWE-400

Related Identifiers

CVE-2018-13863

GHSA-8462-Q7X7-G2X4

Affected Products

Mongodb Bson Javascript Module

PT-2018-12230 · Mongodb · Mongodb Bson Javascript Module

CVE-2018-13863

Weakness Enumeration

Related Identifiers

Affected Products

References · 12