Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-RC4V-99CR-PJCM
HistoryOct 17, 2023 - 2:21 p.m.

Prototype Pollution in ali-security/mongoose

2023-10-1714:21:16
Google
osv.dev
22
mongoose
document.js
remote code execution
express
ejs
cve-2023-3696
@seal-security/mongoose-fixed
version 5.3.3
version 5.3.4
cve-2022-2564
cve-2019-17426

0.006 Low

EPSS

Percentile

78.6%

JSON

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://github.com/advisories/GHSA-9m93-w8w6-76hh
https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

CPENameOperatorVersion
@seal-security/mongoose-fixedeq5.3.3

Related

github 4
prion 3
osv 8
veracode 3
cvelist 3
cve 4
huntr 2
openvas 1
github
github
Prototype Pollution in ali-security/mongoose
2023-10-17 14:21:16
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
automattic/mongoose vulnerable to Prototype pollution via Schema.path
2022-07-29 00:00:18
prion
prion
Improper access control
2019-10-10 02:05:00
Code injection
2022-07-28 20:15:00
Code injection
2023-07-17 01:15:00
osv
osv
CVE-2019-17426
2019-10-10 02:05:46
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
BIT-mongoose-2022-2564
2024-03-06 10:56:53
veracode
veracode
Access Control Bypass
2019-10-11 08:30:52
Denial Of Service (DOS)
2022-07-29 16:58:44
Prototype Pollution
2023-07-18 14:39:39
cvelist
cvelist
CVE-2019-17426
2019-10-10 00:35:17
CVE-2022-2564 Prototype Pollution in automattic/mongoose
2022-07-28 15:21:20
CVE-2023-3696 Prototype Pollution in automattic/mongoose
2023-07-17 00:00:21
cve
cve
CVE-2019-17426
2019-10-10 02:05:00
CVE-2022-2564
2022-07-28 20:15:00
CVE-2023-3696
2023-07-17 01:15:08
huntr
huntr
Possible prototype pollution in Schema.path
2022-06-15 09:25:28
Mongoose Prototype Pollution Vulnerability
2023-07-07 00:59:10
openvas
openvas
Mongoose Web Server < 7.3.4 Prototype Pollution Vulnerability
2023-07-17 00:00:00

0.006 Low

EPSS

Percentile

78.6%

JSON
Related for OSV:GHSA-RC4V-99CR-PJCM
github4prion3osv8veracode3cvelist3cve4huntr2openvas1