Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39481

Remove unused C++ injected JS constructors

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.7, 4.1.9
    • Affects Version/s: None
    • Component/s: JavaScript
    • None
    • Fully Compatible
    • v4.0
    • Dev Tools 2019-02-25, Dev Tools 2019-03-11

      CVE-2019-20923

      Title: Crash while handling internal Javascript exception types

      Description:
      A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

      CVSS score:
      This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

      Affected versions:
      MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

      CWE: CWE-749: Exposed Dangerous Method or Function


      There are some types that are used internally in C++ that should be completely hidden in the Javascript side.

            Assignee:
            gabriel.russell@mongodb.com Gabriel Russell (Inactive)
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: