[email protected] vulnerability issue with [email protected]

[khadeamolm]

[email protected] module depends on [email protected] and [email protected]. Both these mongodb related modules depends on [email protected].
Below vulnerability found with bson version 1.0.9 that currently used in [email protected] with mongodb modules.
This bson related vulnerability has been fixed in latest version of mongodb and mongodb-core modules.
acl module needs to fix this bson related vulnerability by consuming the latest version of mongodb and mongodb-core modules.

Name: CVE-2020-7610
Library: bson-1.0.9.tgz
Library Paths:
/node_modules/acl/node_modules/bson/package.json
Severity: HIGH
Description: All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type

[khadeamolm]

@manast - Is it possible to address the bson related high vulnerability in ACL module on priority??
Due to this vulnerability, our security team does NOT allow to use this ACL module.

[akashmane2209]

Please fix this vulnerability

[levpachmanov]

Hey @khadeamolm @akashmane2209 ,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an [email protected] that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app - it's free to use for open-source projects!

Please feel free to reach us at [email protected] if you have any requests/questions.