GHSA-RC4V-99CR-PJCM
Vulnerability from github – Published: 2023-10-17 14:21 – Updated: 2023-10-17 14:21Impact
This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Express and EJS, this can potentially allow remote code execution.
Patches
The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4
References
https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721 https://github.com/advisories/GHSA-9m93-w8w6-76hh https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@seal-security/mongoose-fixed"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.3"
},
{
"fixed": "5.3.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.3.3"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-17T14:21:16Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nThis vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().\nFor applications using Express and EJS, this can potentially allow remote code execution.\n\n### Patches\nThe original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4\n\n### References\nhttps://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721\nhttps://github.com/advisories/GHSA-9m93-w8w6-76hh\nhttps://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2\n",
"id": "GHSA-rc4v-99cr-pjcm",
"modified": "2023-10-17T14:21:16Z",
"published": "2023-10-17T14:21:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ali-security/mongoose/security/advisories/GHSA-rc4v-99cr-pjcm"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2"
},
{
"type": "PACKAGE",
"url": "https://github.com/ali-security/mongoose"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in ali-security/mongoose"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.