Book-Trading-Club icon indicating copy to clipboard operation
Book-Trading-Club copied to clipboard

Published 20 hours ago verified publisher icon mubaidr

CVE-2018-13863 High Severity Vulnerability detected by WhiteSource

Open mend-bolt-for-github[bot] opened this issue 6 years ago • 0 comments

CVE-2018-13863 - High Severity Vulnerability

Vulnerable Library - bson-1.0.4.tgz

A bson parser for node.js and the browser

path: /tmp/git/Book-Trading-Club/node_modules/bson/package.json

Library home page: https://registry.npmjs.org/bson/-/bson-1.0.4.tgz

Dependency Hierarchy:

  • mongoose-4.11.11.tgz (Root Library)
    • :x: bson-1.0.4.tgz (Vulnerable Library)

Vulnerability Details

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

Publish Date: 2018-07-10

URL: CVE-2018-13863

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a

Release Date: 2018-02-26

Fix Resolution: Replace or update the following file: decimal128.js

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] avatar Feb 12 '19 01:02 mend-bolt-for-github[bot]