mongoose-4.2.4.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mongoose version)	Fix PR available
CVE-2021-23438	High	9.8	mpath-0.1.1.tgz	Transitive	N/A*	❌
CVE-2022-2564	High	9.8	mongoose-4.2.4.tgz	Direct	N/A	❌
CVE-2020-7610	High	9.8	bson-0.4.23.tgz	Transitive	N/A*	❌
CVE-2019-17426	High	9.1	mongoose-4.2.4.tgz	Direct	4.13.20	✅
CVE-2020-13110	High	7.8	kerberos-0.0.24.tgz	Transitive	4.13.20	✅
WS-2016-0026	High	7.7	mongoose-4.2.4.tgz	Direct	4.13.20	✅
CVE-2018-16490	High	7.5	mpath-0.1.1.tgz	Transitive	4.13.20	✅
CVE-2017-20165	High	7.5	debug-2.2.0.tgz	Transitive	4.13.20	✅
WS-2018-0077	Medium	5.9	mongoose-4.2.4.tgz	Direct	4.13.20	✅
CVE-2019-2391	Medium	5.4	bson-0.4.23.tgz	Transitive	N/A*	❌
CVE-2017-20162	Medium	5.3	ms-0.7.1.tgz	Transitive	4.13.20	✅
CVE-2020-35149	Medium	5.3	mquery-1.6.3.tgz	Transitive	N/A*	❌
CVE-2017-16137	Medium	5.3	debug-2.2.0.tgz	Transitive	4.13.20	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-23438

Vulnerable Library - mpath-0.1.1.tgz

{G,S}et object values using MongoDB path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ mpath-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Publish Date: 2021-09-01

URL: CVE-2021-23438

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23438

Release Date: 2021-09-01

Fix Resolution: mpath - 0.8.4

CVE-2022-2564

Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

• ❌ mongoose-4.2.4.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Publish Date: 2022-07-28

URL: CVE-2022-2564

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2564

Release Date: 2022-07-28

Fix Resolution: mongoose - 6.4.6

In order to enable automatic remediation, please create workflow rules

CVE-2020-7610

Vulnerable Library - bson-0.4.23.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongodb-core/node_modules/bson/package.json,/node_modules/mongoose/node_modules/bson/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ bson-0.4.23.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution: bson - 1.1.4

CVE-2019-17426

Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

• ❌ mongoose-4.2.4.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Publish Date: 2019-10-10

URL: CVE-2019-17426

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17426

Release Date: 2019-10-10

Fix Resolution (mongoose): 5.7.5

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

CVE-2020-13110

Vulnerable Library - kerberos-0.0.24.tgz

Kerberos library for Node.js

Library home page: https://registry.npmjs.org/kerberos/-/kerberos-0.0.24.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/kerberos/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • mongodb-2.0.46.tgz
    • mongodb-core-1.2.19.tgz
      • ❌ kerberos-0.0.24.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

Publish Date: 2020-05-16

URL: CVE-2020-13110

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1514

Release Date: 2020-05-20

Fix Resolution (kerberos): kerberos - 1.0.0

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

WS-2016-0026

Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

• ❌ mongoose-4.2.4.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

There is a potential memory disclosure and DoS vulnerability in mongoose from 3.5.5 before 3.8.36 and from 4.0.0 before 4.3.6.

Publish Date: 2016-01-15

URL: WS-2016-0026

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-01-15

Fix Resolution (mongoose): 3.8.36,4.3.6

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

CVE-2018-16490

Vulnerable Library - mpath-0.1.1.tgz

{G,S}et object values using MongoDB path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ mpath-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16490

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/390860

Release Date: 2019-02-01

Fix Resolution (mpath): 0.5.1

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

CVE-2017-20165

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mquery/node_modules/debug/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • mquery-1.6.3.tgz
    • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.

Publish Date: 2023-01-09

URL: CVE-2017-20165

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vvw-cc9w-f27h

Release Date: 2023-01-09

Fix Resolution (debug): debug - 2.6.9,3.1.0

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

WS-2018-0077

Vulnerable Library - mongoose-4.2.4.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

• ❌ mongoose-4.2.4.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Publish Date: 2016-01-15

URL: WS-2018-0077

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-01-15

Fix Resolution (mongoose): 3.8.39,4.3.6

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

CVE-2019-2391

Vulnerable Library - bson-0.4.23.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongodb-core/node_modules/bson/package.json,/node_modules/mongoose/node_modules/bson/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ bson-0.4.23.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

Publish Date: 2020-03-31

URL: CVE-2019-2391

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2391

Release Date: 2020-09-29

Fix Resolution: bson - 1.1.4

CVE-2017-20162

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/node_modules/ms/package.json,/node_modules/mquery/node_modules/ms/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Publish Date: 2023-01-05

URL: CVE-2017-20162

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-05

Fix Resolution (ms): ms - 2.0.0

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

CVE-2020-35149

Vulnerable Library - mquery-1.6.3.tgz

Expressive query building for MongoDB

Library home page: https://registry.npmjs.org/mquery/-/mquery-1.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mquery/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • ❌ mquery-1.6.3.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.

Publish Date: 2020-12-11

URL: CVE-2020-35149

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution: 3.2.3

CVE-2017-16137

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mquery/node_modules/debug/package.json

Dependency Hierarchy:

• mongoose-4.2.4.tgz (Root Library)
  • mquery-1.6.3.tgz
    • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: a1054901076ba8d51b417c27b922cc129f9747dd

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (mongoose): 4.13.20

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.