search

uriel-naor / ISSUES

0 stars 0 forks source link

mongoose-4.2.4.tgz: 8 vulnerabilities (highest severity is: 9.8) - autoclosed #33

Closed uriel-mend-app[bot] closed 1 year ago

uriel-mend-app[bot] commented 1 year ago
Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mongoose version) Fix PR available
CVE-2020-7610 High 9.8 bson-0.4.23.tgz Transitive 4.13.17
CVE-2019-17426 High 9.1 mongoose-4.2.4.tgz Direct 4.13.17
CVE-2020-13110 High 7.8 kerberos-0.0.24.tgz Transitive 4.13.17
WS-2016-0026 High 7.7 mongoose-4.2.4.tgz Direct 4.13.17
CVE-2018-16490 High 7.5 mpath-0.1.1.tgz Transitive 4.13.17
WS-2018-0224 Medium 6.0 mpath-0.1.1.tgz Transitive 4.13.17
CVE-2020-35149 Medium 5.3 mquery-1.6.3.tgz Transitive N/A*
WS-2018-0077 Medium 5.0 mongoose-4.2.4.tgz Direct 4.13.17

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2020-7610 ### Vulnerable Library - bson-0.4.23.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongodb-core/node_modules/bson/package.json,/node_modules/mongoose/node_modules/bson/package.json

Dependency Hierarchy: - mongoose-4.2.4.tgz (Root Library) - :x: **bson-0.4.23.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-03-30

Fix Resolution (bson): bson - 1.1.4

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2019-17426 ### Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy: - :x: **mongoose-4.2.4.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Publish Date: 2019-10-10

URL: CVE-2019-17426

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17426

Release Date: 2019-10-10

Fix Resolution (mongoose): 5.7.5

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-13110 ### Vulnerable Library - kerberos-0.0.24.tgz

Kerberos library for Node.js

Library home page: https://registry.npmjs.org/kerberos/-/kerberos-0.0.24.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/kerberos/package.json

Dependency Hierarchy: - mongoose-4.2.4.tgz (Root Library) - mongodb-2.0.46.tgz - mongodb-core-1.2.19.tgz - :x: **kerberos-0.0.24.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

Publish Date: 2020-05-16

URL: CVE-2020-13110

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1514

Release Date: 2020-05-20

Fix Resolution (kerberos): kerberos - 1.0.0

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2016-0026 ### Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy: - :x: **mongoose-4.2.4.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

There is a potential memory disclosure and DoS vulnerability in mongoose from 3.5.5 before 3.8.36 and from 4.0.0 before 4.3.6.

Publish Date: 2016-01-15

URL: WS-2016-0026

### CVSS 3 Score Details (7.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-01-31

Fix Resolution (mongoose): 3.8.36,4.3.6

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2018-16490 ### Vulnerable Library - mpath-0.1.1.tgz

{G,S}et object values using MongoDB path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy: - mongoose-4.2.4.tgz (Root Library) - :x: **mpath-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16490

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/390860

Release Date: 2019-02-01

Fix Resolution (mpath): 0.5.1

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0224 ### Vulnerable Library - mpath-0.1.1.tgz

{G,S}et object values using MongoDB path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy: - mongoose-4.2.4.tgz (Root Library) - :x: **mpath-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

Mpath, versions 0.0.1--0.0.5, have a Prototype Pollution Vulnerability. An attacker can specify a path that include the prototype object.

Publish Date: 2018-08-30

URL: WS-2018-0224

### CVSS 3 Score Details (6.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/390860

Release Date: 2018-08-30

Fix Resolution (mpath): 0.5.1

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-35149 ### Vulnerable Library - mquery-1.6.3.tgz

Expressive query building for MongoDB

Library home page: https://registry.npmjs.org/mquery/-/mquery-1.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mquery/package.json

Dependency Hierarchy: - mongoose-4.2.4.tgz (Root Library) - :x: **mquery-1.6.3.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.

Publish Date: 2020-12-11

URL: CVE-2020-35149

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution: 3.2.3

WS-2018-0077 ### Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy: - :x: **mongoose-4.2.4.tgz** (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

### Vulnerability Details

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Publish Date: 2016-01-15

URL: WS-2018-0077

### CVSS 2 Score Details (5.0)

Base Score Metrics not available

### Suggested Fix

Type: Upgrade version

Release Date: 2018-01-27

Fix Resolution (mongoose): 3.8.39,4.3.6

Direct dependency fix Resolution (mongoose): 4.13.17

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

uriel-mend-app[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.