bson@1.0.9 vulnerability issue with acl@0.4.11

[khadeamolm]

acl@0.4.11 module depends on mongodb@2.2.36 and mongodb-core@2.1.20. Both these mongodb related modules depends on bson@1.0.9. Below vulnerability found with bson version 1.0.9 that currently used in acl@0.4.11 with mongodb modules. This bson related vulnerability has been fixed in latest version of mongodb and mongodb-core modules. acl module needs to fix this bson related vulnerability by consuming the latest version of mongodb and mongodb-core modules.

Name: CVE-2020-7610 Library: bson-1.0.9.tgz Library Paths: /node_modules/acl/node_modules/bson/package.json Severity: HIGH Description: All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type

[khadeamolm]

@manast - Is it possible to address the bson related high vulnerability in ACL module on priority?? Due to this vulnerability, our security team does NOT allow to use this ACL module.

[akashmane2209]

Please fix this vulnerability

[levpachmanov]

Hey @khadeamolm @akashmane2209 , We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an bson@1.0.9-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app - it's free to use for open-source projects!

Please feel free to reach us at info@seal.security if you have any requests/questions.