search

yurikrupnik / mussia8

Mussia8 base project monorepo poc for api gateway
alfred-lake.vercel.app
MIT License
0 stars 0 forks source link

Update dependency mongoose to v5.13.20 [SECURITY] #358

Open renovate[bot] opened 11 months ago

renovate[bot] commented 11 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) 5.13.7 -> 5.13.20 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Release Notes

Automattic/mongoose (mongoose) ### [`v5.13.20`](https://togithub.com/Automattic/mongoose/compare/5.13.19...5.13.20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.19...5.13.20) ### [`v5.13.19`](https://togithub.com/Automattic/mongoose/compare/5.13.18...5.13.19) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.18...5.13.19) ### [`v5.13.18`](https://togithub.com/Automattic/mongoose/compare/5.13.17...5.13.18) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.17...5.13.18) ### [`v5.13.17`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.16...5.13.17) \==================== - fix: backport fix for array filters handling $or and $and [#​13195](https://togithub.com/Automattic/mongoose/issues/13195) [#​13192](https://togithub.com/Automattic/mongoose/issues/13192) [#​10696](https://togithub.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://togithub.com/raj-goguardian) - fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#​13138](https://togithub.com/Automattic/mongoose/issues/13138) [#​13136](https://togithub.com/Automattic/mongoose/issues/13136) [rdeavila94](https://togithub.com/rdeavila94) ### [`v5.13.16`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51316--2023-02-20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.15...5.13.16) \==================== - fix: make access to process.versions lazy [#​12584](https://togithub.com/Automattic/mongoose/issues/12584) [maciasello](https://togithub.com/maciasello) - fix(types): add missing type definitions for `bulkSave()` [#​12019](https://togithub.com/Automattic/mongoose/issues/12019) - docs: backport documentation URL updates [#​12692](https://togithub.com/Automattic/mongoose/issues/12692) [hasezoey](https://togithub.com/hasezoey) ### [`v5.13.15`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51315--2022-08-22) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.14...5.13.15) \==================== - fix: backport fix for CVE-2022-2564 [#​12281](https://togithub.com/Automattic/mongoose/issues/12281) [shubanker](https://togithub.com/shubanker) - docs: fix broken link from findandmodify method deprecation [#​11366](https://togithub.com/Automattic/mongoose/issues/11366) [laissonsilveira](https://togithub.com/laissonsilveira) ### [`v5.13.14`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51314--2021-12-27) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.13...5.13.14) \==================== - fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt [#​11024](https://togithub.com/Automattic/mongoose/issues/11024) - docs(models): fix up nModified example for 5.x [#​11055](https://togithub.com/Automattic/mongoose/issues/11055) ### [`v5.13.13`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51313--2021-11-02) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.12...5.13.13) \==================== - fix: upgrade to mongodb@3.7.3 [#​10909](https://togithub.com/Automattic/mongoose/issues/10909) [gaurav-sharma-gs](https://togithub.com/gaurav-sharma-gs) - fix: correctly emit end event in before close [#​10916](https://togithub.com/Automattic/mongoose/issues/10916) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): improve ts types for query set [#​10942](https://togithub.com/Automattic/mongoose/issues/10942) [jneal-afs](https://togithub.com/jneal-afs) ### [`v5.13.12`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51312--2021-10-19) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.11...5.13.12) \==================== - fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' [#​10897](https://togithub.com/Automattic/mongoose/issues/10897) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors [#​10617](https://togithub.com/Automattic/mongoose/issues/10617) ### [`v5.13.11`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51311--2021-10-12) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.10...5.13.11) \==================== - fix: upgrade mongodb -> 3.7.2 [#​10871](https://togithub.com/Automattic/mongoose/issues/10871) [winstonralph](https://togithub.com/winstonralph) - fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with `useDb()` [#​10732](https://togithub.com/Automattic/mongoose/issues/10732) ### [`v5.13.10`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51310--2021-10-05) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.9...5.13.10) \==================== - fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions [#​10674](https://togithub.com/Automattic/mongoose/issues/10674) - fix(index.d.ts): allow AnyObject as param to findOneAndReplace() [#​10714](https://togithub.com/Automattic/mongoose/issues/10714) ### [`v5.13.9`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5139--2021-09-06) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.8...5.13.9) \=================== - fix(populate): avoid setting empty array on lean document when populate result is undefined [#​10599](https://togithub.com/Automattic/mongoose/issues/10599) - fix(document): make depopulate() handle populated paths underneath document arrays [#​10592](https://togithub.com/Automattic/mongoose/issues/10592) - fix: peg [@​types/bson](https://togithub.com/types/bson) version to 1.x || 4.0.x to avoid stubbed 4.2.x release [#​10678](https://togithub.com/Automattic/mongoose/issues/10678) - fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any` [#​10647](https://togithub.com/Automattic/mongoose/issues/10647) - fix(index.d.ts): allow specifying weights as an IndexOption [#​10586](https://togithub.com/Automattic/mongoose/issues/10586) - fix: upgrade to mpath v0.8.4 re: security issue [#​10683](https://togithub.com/Automattic/mongoose/issues/10683) ### [`v5.13.8`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5138--2021-08-23) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.7...5.13.8) \=================== - fix(populate): handle populating subdoc array virtual with sort [#​10552](https://togithub.com/Automattic/mongoose/issues/10552) - fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 [#​10420](https://togithub.com/Automattic/mongoose/issues/10420) - fix(index.d.ts): correct value of this for custom query helper methods [#​10545](https://togithub.com/Automattic/mongoose/issues/10545) - fix(index.d.ts): allow strings for ObjectIds in nested properties [#​10573](https://togithub.com/Automattic/mongoose/issues/10573) - fix(index.d.ts): add match to VirtualTypeOptions.options [#​8749](https://togithub.com/Automattic/mongoose/issues/8749) - fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions [#​10587](https://togithub.com/Automattic/mongoose/issues/10587) [osmanakol](https://togithub.com/osmanakol) - docs(api): add Document#$where to API docs [#​10583](https://togithub.com/Automattic/mongoose/issues/10583)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR has been generated by Mend Renovate. View repository job log here.

secure-code-warrior-for-github[bot] commented 11 months ago

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

secure-code-warrior-for-github[bot] commented 2 months ago

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior