GHSA-r5xw-q988-826m

Source

https://github.com/advisories/GHSA-r5xw-q988-826m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r5xw-q988-826m/GHSA-r5xw-q988-826m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r5xw-q988-826m

Published

2020-09-01T19:39:37Z

Modified

2023-12-07T22:05:28Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Remote Memory Exposure in mongoose

Details

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Recommendation

Update to version 4.3.6, 3.8.39 or later.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:29:22Z",
    "cwe_ids": [
        "CWE-201"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / mongoose

Package

Name: mongoose; View open source insights on deps.dev
Purl: pkg:npm/mongoose

Affected ranges

Type: SEMVER
Events: Introduced

3.5.5

Fixed

3.8.39

Database specific

{
    "last_known_affected_version_range": "<= 3.8.38"
}

npm / mongoose

Package

Name: mongoose; View open source insights on deps.dev
Purl: pkg:npm/mongoose

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.3.6

Database specific

{
    "last_known_affected_version_range": "<= 4.3.5"
}