Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-RC4V-99CR-PJCM
HistoryOct 17, 2023 - 2:21 p.m.

Prototype Pollution in ali-security/mongoose

2023-10-1714:21:16
Google
osv.dev
19

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.5%

JSON

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://github.com/advisories/GHSA-9m93-w8w6-76hh
https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

CPENameOperatorVersion
@seal-security/mongoose-fixedeq5.3.3

Related

github 4
veracode 3
osv 8
cve 4
prion 3
huntr 2
openvas 1
github
github
Prototype Pollution in ali-security/mongoose
2023-10-17 14:21:16
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
automattic/mongoose vulnerable to Prototype pollution via Schema.path
2022-07-29 00:00:18
veracode
veracode
Access Control Bypass
2019-10-11 08:30:52
Denial Of Service (DOS)
2022-07-29 16:58:44
Prototype Pollution
2023-07-18 14:39:39
osv
osv
CVE-2019-17426
2019-10-10 02:05:46
Improper Input Validation in Automattic Mongoose
2019-10-22 20:19:54
automattic/mongoose vulnerable to Prototype pollution via Schema.path
2022-07-29 00:00:18
cve
cve
CVE-2019-17426
2019-10-10 02:05:00
CVE-2022-2564
2022-07-28 20:15:00
CVE-2023-3696
2023-07-17 01:15:08
prion
prion
Improper access control
2019-10-10 02:05:00
Code injection
2022-07-28 20:15:00
Code injection
2023-07-17 01:15:00
huntr
huntr
Possible prototype pollution in Schema.path
2022-06-15 09:25:28
Mongoose Prototype Pollution Vulnerability
2023-07-07 00:59:10
openvas
openvas
Mongoose Web Server < 7.3.4 Prototype Pollution Vulnerability
2023-07-17 00:00:00

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.5%

JSON
Related for OSV:GHSA-RC4V-99CR-PJCM
github4veracode3osv8cve4prion3huntr2openvas1