PT-2020-3488 · Mongodb+4 · Bson+4

Seong-Joong Kim

Published

2014-09-11

Updated

2020-08-12

CVE-2020-12135

CVSS v2.0

7.1

High

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions bson versions prior to 0.8

Description The issue is caused by an integer overflow due to the incorrect use of int instead of size t for many variables, parameters, and return values in the bson package. Specifically, the bson ensure space() function's bytesNeeded parameter can be exploited via properly constructed bson input, potentially leading to a denial of service.

Recommendations For versions prior to 0.8, update to version 0.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the bson ensure space() function until a patch is available. Avoid using the bytesNeeded parameter in the affected bson ensure space() function until the issue is resolved.

Exploit

Fix

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALT-PU-2014-2131

BDU:2020-03812

CVE-2020-12135

USN-4450-1

Affected Products

Alt Linux

Debian

Linuxmint

Ubuntu

Bson

PT-2020-3488 · Mongodb+4 · Bson+4

CVE-2020-12135

Weakness Enumeration

Related Identifiers

Affected Products

References · 17