Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03MzQtcjRnNi0zNGY5

NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

A proof of concept malicious query:

GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}

The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.

Recommendation

Update to version 3.6.0 or later.

Permalink: https://github.com/advisories/GHSA-m734-r4g6-34f9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03MzQtcjRnNi0zNGY5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago

Identifiers: GHSA-m734-r4g6-34f9
References:

• https://github.com/strongloop/loopback-connector-mongodb/issues/403
• https://github.com/strongloop/loopback-connector-mongodb/pull/452
• https://github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b
• https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html
• https://www.npmjs.com/advisories/696
• https://github.com/advisories/GHSA-m734-r4g6-34f9

Repository: https://github.com/strongloop/loopback-connector-mongodb
Blast Radius: 0.0

Affected Packages