CRITICAL🇵🇱 Wersja polska

CVE-2020-7610

CVSS 9.8v3.1pub. 2020-03-30upd. 2024-11-21

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mongodb Bson

    APP
    Mongodb
    1.0.0 – 1.1.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2015-4411HIGH7.5ten sam produkt

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remot...

CVE-2017-15535CRITICAL9.1ten sam vendor

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMe...

CVE-2025-14847HIGH8.7⚠ KEVten sam vendor

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by ...

CVE-2026-11933HIGH8.7ten sam vendor

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON d...

CVE-2026-9740HIGH8.7ten sam vendor

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod p...