Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-RC4V-99CR-PJCM
HistoryOct 17, 2023 - 2:21 p.m.

Prototype Pollution in ali-security/mongoose

2023-10-1714:21:16
CWE-1321
GitHub Advisory Database
github.com
14
vulnerability
prototype pollution
document.js
remote code execution
express
ejs
patch
mongoose 5.3.3
cve-2023-3696
@seal-security/mongoose-fixed
cve-2022-2564
cve-2019-17426
compatibility
JSON

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://github.com/advisories/GHSA-9m93-w8w6-76hh
https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

CPENameOperatorVersion
@seal-security/mongoose-fixedeq5.3.3

Related

osv 9
github 3
prion 3
cvelist 3
cve 4
veracode 3
huntr 2
openvas 1
osv
osv
Prototype Pollution in ali-security/mongoose
2023-10-17 14:21:16
CVE-2019-17426
2019-10-10 02:05:46
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
github
github
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
automattic/mongoose vulnerable to Prototype pollution via Schema.path
2022-07-29 00:00:18
Mongoose Prototype Pollution vulnerability
2023-07-17 03:30:20
prion
prion
Improper access control
2019-10-10 02:05:00
Code injection
2022-07-28 20:15:00
Code injection
2023-07-17 01:15:00
cvelist
cvelist
CVE-2019-17426
2019-10-10 00:35:17
CVE-2022-2564 Prototype Pollution in automattic/mongoose
2022-07-28 15:21:20
CVE-2023-3696 Prototype Pollution in automattic/mongoose
2023-07-17 00:00:21
cve
cve
CVE-2019-17426
2019-10-10 02:05:00
CVE-2022-2564
2022-07-28 20:15:00
CVE-2023-3696
2023-07-17 01:15:08
veracode
veracode
Access Control Bypass
2019-10-11 08:30:52
Denial Of Service (DOS)
2022-07-29 16:58:44
Prototype Pollution
2023-07-18 14:39:39
huntr
huntr
Possible prototype pollution in Schema.path
2022-06-15 09:25:28
Mongoose Prototype Pollution Vulnerability
2023-07-07 00:59:10
openvas
openvas
Mongoose Web Server < 7.3.4 Prototype Pollution Vulnerability
2023-07-17 00:00:00
JSON
Related for GHSA-RC4V-99CR-PJCM
osv9github3prion3cvelist3cve4veracode3huntr2openvas1