AID icon indicating copy to clipboard operation
AID copied to clipboard

Published 20 hours ago verified publisher icon autoai-org

mongoose-5.10.9.tgz: 3 vulnerabilities (highest severity is: 9.8)

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 1 comments

Vulnerable Library - mongoose-5.10.9.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.10.9.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /components/discovery/yarn.lock

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mongoose version) Remediation Available
CVE-2022-2564 High 9.8 mongoose-5.10.9.tgz Direct 5.13.15
CVE-2021-23438 High 9.8 mpath-0.7.0.tgz Transitive 5.13.9
CVE-2020-35149 Medium 5.3 mquery-3.2.2.tgz Transitive 5.11.7

Details

CVE-2022-2564

Vulnerable Library - mongoose-5.10.9.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.10.9.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /components/discovery/yarn.lock

Dependency Hierarchy:

  • :x: mongoose-5.10.9.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Publish Date: 2022-07-28

URL: CVE-2022-2564

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2564

Release Date: 2022-07-28

Fix Resolution: 5.13.15

Step up your Open Source Security Game with Mend here

CVE-2021-23438

Vulnerable Library - mpath-0.7.0.tgz

{G,S}et object values using MongoDB-like path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.7.0.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /components/discovery/yarn.lock

Dependency Hierarchy:

  • mongoose-5.10.9.tgz (Root Library)
    • :x: mpath-0.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Publish Date: 2021-09-01

URL: CVE-2021-23438

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23438

Release Date: 2021-09-01

Fix Resolution (mpath): 0.8.4

Direct dependency fix Resolution (mongoose): 5.13.9

Step up your Open Source Security Game with Mend here

CVE-2020-35149

Vulnerable Library - mquery-3.2.2.tgz

Expressive query building for MongoDB

Library home page: https://registry.npmjs.org/mquery/-/mquery-3.2.2.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /components/discovery/yarn.lock

Dependency Hierarchy:

  • mongoose-5.10.9.tgz (Root Library)
    • :x: mquery-3.2.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.

Publish Date: 2020-12-11

URL: CVE-2020-35149

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (mquery): 3.2.3

Direct dependency fix Resolution (mongoose): 5.11.7

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Feb 19 '22 01:02 mend-bolt-for-github[bot]