CVE-2019-10758
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
CISA KEV
- Vendor
- MongoDB
- Product
- mongo-express
- Due date
- 2022-06-10
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2019-10758
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | mongo-express | <0.54.0 | 0.54.0 |
References
- https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
- https://nvd.nist.gov/vuln/detail/CVE-2019-10758
- https://github.com/mongo-express/mongo-express/pull/522
- https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
- https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
- https://github.com/mongo-express/mongo-express
- https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
- https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
Verify integrity in audit chain (admin only). AS-IS.