Candidate: CVE-2020-7610
PublicDate: 2020-03-30 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7610
 https://snyk.io/vuln/SNYK-JS-BSON-561052
 https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8
Description:
 All versions of bson before 1.1.4 are vulnerable to Deserialization of
 Untrusted Data. The package will ignore an unknown value for an object's
 _bsotype, leading to cases where an object is serialized as a document
 rather than the intended BSON type.
Ubuntu-Description:
Notes:
 seth-arnold> The github patch link from snyk.io shows a diff with
  'serializer.js', but the description is for Deserialization. I don't
  know if this is intentoinal or not.
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_node-mongodb:
upstream_node-mongodb: released (1.1.4)
precise/esm_node-mongodb: DNE
trusty_node-mongodb: ignored (out of standard support)
trusty/esm_node-mongodb: DNE
xenial_node-mongodb: DNE
bionic_node-mongodb: DNE
eoan_node-mongodb: ignored (reached end-of-life)
focal_node-mongodb: needs-triage
groovy_node-mongodb: not-affected (3.5.6+~cs11.12.19-1)
hirsute_node-mongodb: not-affected (3.5.6+~cs11.12.19-1)
impish_node-mongodb: not-affected (3.5.6+~cs11.12.19-1)
jammy_node-mongodb: not-affected (3.5.6+~cs11.12.19-1)
devel_node-mongodb: not-affected (3.5.6+~cs11.12.19-1)