Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for BSON::XS by MONGODB

    CVE-2025-40906 (GCVE-0-2025-40906)

    Vulnerability from nvd – Published: 2025-05-16 15:15 – Updated: 2025-09-09 13:54
    VLAI
    Title
    BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities
    Summary
    BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    • CWE-1104 - Use of Unmaintained Third Party Components
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    MONGODB BSON::XS Affected: 0 , ≤ 0.8.4 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-17T02:38:23.781160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:54:31.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "BSON-XS",
              "product": "BSON::XS",
              "repo": "https://github.com/mongodb-labs/mongo-perl-bson-xs",
              "vendor": "MONGODB",
              "versions": [
                {
                  "lessThanOrEqual": "0.8.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\u003cbr\u003e\u003cbr\u003eThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \u003cbr\u003e\u003cbr\u003eBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.\u003cbr\u003e"
                }
              ],
              "value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\n\nThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \n\nBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104 Use of Unmaintained Third Party Components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T13:22:22.125Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
                }
              ],
              "value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
                }
              ],
              "value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40906",
        "datePublished": "2025-05-16T15:15:49.810Z",
        "dateReserved": "2025-04-16T09:05:34.360Z",
        "dateUpdated": "2025-09-09T13:54:31.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-40906 (GCVE-0-2025-40906)

    Vulnerability from cvelistv5 – Published: 2025-05-16 15:15 – Updated: 2025-09-09 13:54
    VLAI
    Title
    BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities
    Summary
    BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    • CWE-1104 - Use of Unmaintained Third Party Components
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    MONGODB BSON::XS Affected: 0 , ≤ 0.8.4 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-17T02:38:23.781160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:54:31.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "BSON-XS",
              "product": "BSON::XS",
              "repo": "https://github.com/mongodb-labs/mongo-perl-bson-xs",
              "vendor": "MONGODB",
              "versions": [
                {
                  "lessThanOrEqual": "0.8.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\u003cbr\u003e\u003cbr\u003eThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \u003cbr\u003e\u003cbr\u003eBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.\u003cbr\u003e"
                }
              ],
              "value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\n\nThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \n\nBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104 Use of Unmaintained Third Party Components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T13:22:22.125Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
                }
              ],
              "value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
                }
              ],
              "value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40906",
        "datePublished": "2025-05-16T15:15:49.810Z",
        "dateReserved": "2025-04-16T09:05:34.360Z",
        "dateUpdated": "2025-09-09T13:54:31.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }