Data Injection Affecting bson package, versions <1.12.3 >=2.0, <3.0.4

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 1.38% (87^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-BSON-20220
published 3 Jun 2015
disclosed 3 Jun 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 3 Jun 2015

CVE-2015-4412 Open this link in a new tab CWE-74 Open this link in a new tab

Overview

bson is a full featured BSON specification implementation in Ruby.

Affected versions of this gem allow an attacker to perform a BSON Injection. A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.

References

http://rubysec.com/advisories/CVE-2015-4412
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
https://access.redhat.com/security/cve/cve-2015-4412