CVE-2019-2391

NameCVE-2019-2391
DescriptionIncorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-mongodb (PTS)buster3.1.13+~3.1.11-2+deb10u1fixed
bullseye3.6.4+~cs11.13.19-1fixed
bookworm, sid3.6.4+~cs11.13.19-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-mongodbsourceexperimental3.5.5+~cs11.12.19-1
node-mongodbsourcebuster3.1.13+~3.1.11-2+deb10u1
node-mongodbsource(unstable)3.5.6+~cs11.12.19-1

Notes

Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19

Search for package or bug name: Reporting problems