Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 [security] Update mongoose 5.13.8 → 8.8.3 (major) #88

Closed
wants to merge 1 commit into from
Closed

🚨 [security] Update mongoose 5.13.8 → 8.8.3 (major) #88

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Dec 3, 2024
edited
Loading

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ mongoose (5.13.8 → 8.8.3) · Repo · Changelog

Security Advisories 🚨

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Vulnerable to Prototype Pollution in Schema Object

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = 'proto.toString'


schema.path(malicious_payload, [String])


x = {}

console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

🚨 Mongoose Vulnerable to Prototype Pollution in Schema Object

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = 'proto.toString'


schema.path(malicious_payload, [String])


x = {}

console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

🚨 automattic/mongoose vulnerable to Prototype pollution via Schema.path

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

🚨 automattic/mongoose vulnerable to Prototype pollution via Schema.path

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ bson (indirect, 1.1.6 → 6.10.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kareem (indirect, 2.3.2 → 2.6.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 73 commits:

↗️ mongodb (indirect, 3.6.11 → 6.10.0) · Repo · Changelog

Security Advisories 🚨

🚨 MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

🚨 MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mpath (indirect, 0.8.3 → 0.9.0) · Repo · Changelog

Security Advisories 🚨

🚨 Type confusion in mpath

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Release Notes

0.9.0 (from changelog)

  • feat: export stringToParts()

0.8.4 (from changelog)

  • fix: throw error if parts contains an element that isn't a string or number #13

Does any of this look wrong? Please let us know.

↗️ mquery (indirect, 3.2.5 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0 (from changelog)

  • BREAKING CHANGE: drop callback support #137 hasezoey
  • BREAKING CHANGE: remove custom promise library support #137 hasezoey
  • BREAKING CHANGE: remove long deprecated update, remove functions #136 hasezoey
  • BREAKING CHANGE: remove collection ducktyping: first param to mquery() is now always the query filter #138
  • feat: support MongoDB Node driver 5 #137 hasezoey

4.0.3 (from changelog)

  • fix: allow using comment with findOneAndUpdate(), count(), distinct() and hint with findOneAndUpdate() Automattic/mongoose#11793

4.0.2 (from changelog)

  • perf: replace regexp-clone with native functionality #131 Uzlopak

4.0.1 (from changelog)

4.0.0 / 2021-08-24

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sift (indirect, 13.5.2 → 17.1.3) · Repo · Changelog

Release Notes

16.0.0 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 72 commits:

🆕 @​mongodb-js/saslprep (added, 1.1.9)

🆕 @​types/webidl-conversions (added, 7.0.3)

🆕 @​types/whatwg-url (added, 11.0.5)

🆕 mongodb-connection-string-url (added, 3.0.1)

🗑️ @​types/bson (removed)

🗑️ @​types/mongodb (removed)

🗑️ @​types/node (removed)

🗑️ bl (removed)

🗑️ bluebird (removed)

🗑️ core-util-is (removed)

🗑️ denque (removed)

🗑️ mongoose-legacy-pluralize (removed)

🗑️ optional-require (removed)

🗑️ process-nextick-args (removed)

🗑️ regexp-clone (removed)

🗑️ saslprep (removed)

🗑️ sliced (removed)

🗑️ util-deprecate (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Dec 3, 2024
@depfu depfu bot assigned raravi Dec 3, 2024
@depfu Depfu
Copy link
Contributor Author

depfu bot commented Jan 16, 2025

Closed in favor of #89.

@depfu depfu bot closed this Jan 16, 2025
@depfu depfu bot deleted the depfu/update/npm/mongoose-8.8.3 branch January 16, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@raravi raravi

Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@raravi