Open renovate[bot] opened 11 months ago
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
This PR contains the following updates:
5.13.7
->5.13.20
GitHub Vulnerability Alerts
CVE-2023-3696
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
CVE-2022-24304
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()
function is vulnerable to prototype pollution when setting theschema
object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Proof of Concept
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Release Notes
Automattic/mongoose (mongoose)
### [`v5.13.20`](https://togithub.com/Automattic/mongoose/compare/5.13.19...5.13.20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.19...5.13.20) ### [`v5.13.19`](https://togithub.com/Automattic/mongoose/compare/5.13.18...5.13.19) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.18...5.13.19) ### [`v5.13.18`](https://togithub.com/Automattic/mongoose/compare/5.13.17...5.13.18) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.17...5.13.18) ### [`v5.13.17`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.16...5.13.17) \==================== - fix: backport fix for array filters handling $or and $and [#13195](https://togithub.com/Automattic/mongoose/issues/13195) [#13192](https://togithub.com/Automattic/mongoose/issues/13192) [#10696](https://togithub.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://togithub.com/raj-goguardian) - fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#13138](https://togithub.com/Automattic/mongoose/issues/13138) [#13136](https://togithub.com/Automattic/mongoose/issues/13136) [rdeavila94](https://togithub.com/rdeavila94) ### [`v5.13.16`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51316--2023-02-20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.15...5.13.16) \==================== - fix: make access to process.versions lazy [#12584](https://togithub.com/Automattic/mongoose/issues/12584) [maciasello](https://togithub.com/maciasello) - fix(types): add missing type definitions for `bulkSave()` [#12019](https://togithub.com/Automattic/mongoose/issues/12019) - docs: backport documentation URL updates [#12692](https://togithub.com/Automattic/mongoose/issues/12692) [hasezoey](https://togithub.com/hasezoey) ### [`v5.13.15`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51315--2022-08-22) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.14...5.13.15) \==================== - fix: backport fix for CVE-2022-2564 [#12281](https://togithub.com/Automattic/mongoose/issues/12281) [shubanker](https://togithub.com/shubanker) - docs: fix broken link from findandmodify method deprecation [#11366](https://togithub.com/Automattic/mongoose/issues/11366) [laissonsilveira](https://togithub.com/laissonsilveira) ### [`v5.13.14`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51314--2021-12-27) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.13...5.13.14) \==================== - fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt [#11024](https://togithub.com/Automattic/mongoose/issues/11024) - docs(models): fix up nModified example for 5.x [#11055](https://togithub.com/Automattic/mongoose/issues/11055) ### [`v5.13.13`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51313--2021-11-02) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.12...5.13.13) \==================== - fix: upgrade to mongodb@3.7.3 [#10909](https://togithub.com/Automattic/mongoose/issues/10909) [gaurav-sharma-gs](https://togithub.com/gaurav-sharma-gs) - fix: correctly emit end event in before close [#10916](https://togithub.com/Automattic/mongoose/issues/10916) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): improve ts types for query set [#10942](https://togithub.com/Automattic/mongoose/issues/10942) [jneal-afs](https://togithub.com/jneal-afs) ### [`v5.13.12`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51312--2021-10-19) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.11...5.13.12) \==================== - fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' [#10897](https://togithub.com/Automattic/mongoose/issues/10897) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors [#10617](https://togithub.com/Automattic/mongoose/issues/10617) ### [`v5.13.11`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51311--2021-10-12) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.10...5.13.11) \==================== - fix: upgrade mongodb -> 3.7.2 [#10871](https://togithub.com/Automattic/mongoose/issues/10871) [winstonralph](https://togithub.com/winstonralph) - fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with `useDb()` [#10732](https://togithub.com/Automattic/mongoose/issues/10732) ### [`v5.13.10`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51310--2021-10-05) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.9...5.13.10) \==================== - fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions [#10674](https://togithub.com/Automattic/mongoose/issues/10674) - fix(index.d.ts): allow AnyObject as param to findOneAndReplace() [#10714](https://togithub.com/Automattic/mongoose/issues/10714) ### [`v5.13.9`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5139--2021-09-06) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.8...5.13.9) \=================== - fix(populate): avoid setting empty array on lean document when populate result is undefined [#10599](https://togithub.com/Automattic/mongoose/issues/10599) - fix(document): make depopulate() handle populated paths underneath document arrays [#10592](https://togithub.com/Automattic/mongoose/issues/10592) - fix: peg [@types/bson](https://togithub.com/types/bson) version to 1.x || 4.0.x to avoid stubbed 4.2.x release [#10678](https://togithub.com/Automattic/mongoose/issues/10678) - fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any` [#10647](https://togithub.com/Automattic/mongoose/issues/10647) - fix(index.d.ts): allow specifying weights as an IndexOption [#10586](https://togithub.com/Automattic/mongoose/issues/10586) - fix: upgrade to mpath v0.8.4 re: security issue [#10683](https://togithub.com/Automattic/mongoose/issues/10683) ### [`v5.13.8`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5138--2021-08-23) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.7...5.13.8) \=================== - fix(populate): handle populating subdoc array virtual with sort [#10552](https://togithub.com/Automattic/mongoose/issues/10552) - fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 [#10420](https://togithub.com/Automattic/mongoose/issues/10420) - fix(index.d.ts): correct value of this for custom query helper methods [#10545](https://togithub.com/Automattic/mongoose/issues/10545) - fix(index.d.ts): allow strings for ObjectIds in nested properties [#10573](https://togithub.com/Automattic/mongoose/issues/10573) - fix(index.d.ts): add match to VirtualTypeOptions.options [#8749](https://togithub.com/Automattic/mongoose/issues/8749) - fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions [#10587](https://togithub.com/Automattic/mongoose/issues/10587) [osmanakol](https://togithub.com/osmanakol) - docs(api): add Document#$where to API docs [#10583](https://togithub.com/Automattic/mongoose/issues/10583)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.