GHSA-rc4v-99cr-pjcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rc4v-99cr-pjcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-rc4v-99cr-pjcm/GHSA-rc4v-99cr-pjcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rc4v-99cr-pjcm
- Published
- 2023-10-17T14:21:16Z
- Modified
- 2023-10-17T14:21:16Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H CVSS Calculator
- Summary
- Prototype Pollution in ali-security/mongoose
- Details
-
Impact
This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Express and EJS, this can potentially allow remote code execution.
Patches
The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4
References
https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721 https://github.com/advisories/GHSA-9m93-w8w6-76hh https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-1321" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-10-17T14:21:16Z" }- References
Affected packages
npm / @seal-security/mongoose-fixed
Package
- Name
- @seal-security/mongoose-fixed
- View open source insights on deps.dev
- Purl
- pkg:npm/%40seal-security/mongoose-fixed