Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4d2MtNXZ3OS0ydzR3
NoSQL Injection in loopback-connector-mongodb
Versions of loopback-connector-mongodb
prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak.
Recommendation
Upgrade to version 3.6.0 or later.
Permalink: https://github.com/advisories/GHSA-hxwc-5vw9-2w4wJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4d2MtNXZ3OS0ydzR3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-hxwc-5vw9-2w4w
References:
- https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html
- https://www.npmjs.com/advisories/767
- https://github.com/loopbackio/loopback-connector-mongodb
- https://github.com/advisories/GHSA-hxwc-5vw9-2w4w
Blast Radius: 0.0
Affected Packages
npm:loopback-connector-mongodb
Dependent packages: 101Dependent repositories: 2,377
Downloads: 57,975 last month
Affected Version Ranges: <= 3.5.0
Fixed in: 3.6.0
All affected versions: 1.0.0, 1.1.0, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.17.0, 1.18.0, 1.18.1, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0
All unaffected versions: 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.1.0, 4.2.0, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 6.0.0, 6.0.1, 6.1.0, 6.2.0