[SERVER-39481] Remove unused C++ injected JS constructors Created: 08/Feb/19  Updated: 29/Oct/23  Resolved: 04/Mar/19

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: None
Fix Version/s: 4.0.7, 4.1.9

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Gabriel Russell (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0
Sprint: Dev Tools 2019-02-25, Dev Tools 2019-03-11
Participants:

 Description   
CVE-2019-20923

Title: Crash while handling internal Javascript exception types

Description:
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

CVSS score:
This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions:
MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

CWE: CWE-749: Exposed Dangerous Method or Function


There are some types that are used internally in C++ that should be completely hidden in the Javascript side.



 Comments   
Comment by Githook User [ 12/Mar/19 ]

Author:

{'name': 'Gabriel Russell', 'email': 'gabriel.russell@mongodb.com', 'username': 'gabrielrussell'}

Message: SERVER-39481 don't expose a MongoStatus constructor in JS
Branch: v4.0
https://github.com/mongodb/mongo/commit/c9dd94ca1a571f9d145eaa9029d8ce905a86f933

Comment by Githook User [ 04/Mar/19 ]

Author:

{'name': 'Gabriel Russell', 'email': 'gabriel.russell@mongodb.com', 'username': 'gabrielrussell'}

Message: SERVER-39481 fix lint
Branch: master
https://github.com/mongodb/mongo/commit/9bcca81bf74511a00279f120d050e0d938ef3083

Comment by Githook User [ 04/Mar/19 ]

Author:

{'name': 'Gabriel Russell', 'email': 'gabriel.russell@mongodb.com', 'username': 'gabrielrussell'}

Message: SERVER-39481 don't expose a MongoStatus constructor in JS
Branch: master
https://github.com/mongodb/mongo/commit/c53b2f233687487ef70398153af3d8d34bbc21d1

Generated at Thu Feb 08 04:52:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.