CVE-2020-12135

EUVD-2020-4450
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
whoopsie_projectwhoopsie
𝑥
≤ 0.2.69
mongodbc_driver
𝑥
< 0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
duo-unix
bookworm
unimportant
bullseye
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
duo-unix
bionic
needs-triage
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
needs-triage
whoopsie
bionic
Fixed 0.2.62ubuntu0.5
released
eoan
ignored
focal
Fixed 0.2.69ubuntu0.1
released
groovy
Fixed 0.2.71
released
hirsute
Fixed 0.2.71
released
impish
Fixed 0.2.71
released
jammy
Fixed 0.2.71
released
kinetic
Fixed 0.2.71
released
lunar
Fixed 0.2.71
released
mantic
Fixed 0.2.71
released
noble
Fixed 0.2.71
released
trusty
dne
xenial
Fixed 0.2.52.5ubuntu0.5
released
Common Weakness Enumeration
References
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560
https://github.com/10gen-archive/mongo-c-driver-legacy/commit/1a1f5e26a4309480d88598913f9eebf9e9cba8ca#diff-f7d29a680148f52d6601f59ed787f577
https://launchpadlibrarian.net/474887364/bson-fix-overflow.patch
https://usn.ubuntu.com/4450-1/
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560
https://github.com/10gen-archive/mongo-c-driver-legacy/commit/1a1f5e26a4309480d88598913f9eebf9e9cba8ca#diff-f7d29a680148f52d6601f59ed787f577
https://launchpadlibrarian.net/474887364/bson-fix-overflow.patch
https://usn.ubuntu.com/4450-1/