Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39481

Remove unused C++ injected JS constructors

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.7, 4.1.9
    • Component/s: JavaScript
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.0
    • Sprint:
      Dev Tools 2019-02-25, Dev Tools 2019-03-11

      Description

      CVE-2019-20923

      Title: Crash while handling internal Javascript exception types

      Description:
      A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

      CVSS score:
      This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

      Affected versions:
      MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

      CWE: CWE-749: Exposed Dangerous Method or Function


      There are some types that are used internally in C++ that should be completely hidden in the Javascript side.

        Attachments

          Activity

            People

            Assignee:
            gabriel.russell Gabriel Russell (Inactive)
            Reporter:
            spencer.jackson Spencer Jackson
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: