Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yYzR2LTk5Y3ItcGpjbc4AA2gY
Prototype Pollution in ali-security/mongoose
Impact
This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.
Patches
The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4
References
https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://github.com/advisories/GHSA-9m93-w8w6-76hh
https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yYzR2LTk5Y3ItcGpjbc4AA2gY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Identifiers: GHSA-rc4v-99cr-pjcm
References:
- https://github.com/ali-security/mongoose/security/advisories/GHSA-rc4v-99cr-pjcm
- https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
- https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
- https://github.com/advisories/GHSA-rc4v-99cr-pjcm
Blast Radius: 1.0
Affected Packages
npm:@seal-security/mongoose-fixed
Dependent packages: 0Dependent repositories: 0
Downloads: 91 last month
Affected Version Ranges: = 5.3.3
Fixed in: 5.3.4
All affected versions: 5.3.3
All unaffected versions: 5.3.4