New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency mongoose to v5.13.20 [security] #291

Open

renovate wants to merge 1 commit into master from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Mar 19, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	`5.13.5` -> `5.13.20`

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Release Notes

Automattic/mongoose (mongoose)

`v5.13.20`

`v5.13.19`

`v5.13.18`

`v5.13.17`

====================

fix: backport fix for array filters handling $or and $and #13195 #13192 #10696 raj-goguardian
fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes #13138 #13136 rdeavila94

`v5.13.16`

====================

fix: make access to process.versions lazy #12584 maciasello
fix(types): add missing type definitions for bulkSave() #12019
docs: backport documentation URL updates #12692 hasezoey

`v5.13.15`

====================

fix: backport fix for CVE-2022-2564 #12281 shubanker
docs: fix broken link from findandmodify method deprecation #11366 laissonsilveira

`v5.13.14`

====================

fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt #11024
docs(models): fix up nModified example for 5.x #11055

`v5.13.13`

====================

fix: upgrade to mongodb@3.7.3 #10909 gaurav-sharma-gs
fix: correctly emit end event in before close #10916 iovanom
fix(index.d.ts): improve ts types for query set #10942 jneal-afs

`v5.13.12`

====================

fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' #10897 iovanom
fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors #10617

`v5.13.11`

====================

fix: upgrade mongodb -> 3.7.2 #10871 winstonralph
fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with useDb() #10732

`v5.13.10`

====================

fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions #10674
fix(index.d.ts): allow AnyObject as param to findOneAndReplace() #10714

`v5.13.9`

===================

fix(populate): avoid setting empty array on lean document when populate result is undefined #10599
fix(document): make depopulate() handle populated paths underneath document arrays #10592
fix: peg @types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release #10678
fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with extends Document and any #10647
fix(index.d.ts): allow specifying weights as an IndexOption #10586
fix: upgrade to mpath v0.8.4 re: security issue #10683

`v5.13.8`

===================

fix(populate): handle populating subdoc array virtual with sort #10552
fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 #10420
fix(index.d.ts): correct value of this for custom query helper methods #10545
fix(index.d.ts): allow strings for ObjectIds in nested properties #10573
fix(index.d.ts): add match to VirtualTypeOptions.options #8749
fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions #10587 osmanakol
docs(api): add Document#$where to API docs #10583

`v5.13.7`

===================

perf(index.d.ts): loosen up restrictions on ModelType generic for Schema for a ~50% perf improvement when compiling TypeScript and using intellisense #10536 #10515 #10349
fix(index.d.ts): fix broken Schema#index() types #10562 JaredReisinger
fix(index.d.ts): allow using SchemaTypeOptions with array of raw document interfaces #10537
fix(index.d.ts): define IndexOptions in terms of mongodb.IndexOptions #10563 JaredReisinger
fix(index.d.ts): improve intellisense for DocumentArray push() #10546
fix(index.d.ts): correct type for expires #10529
fix(index.d.ts): add Query#model property to ts bindings #10531
refactor(index.d.ts): make callbacks use the new Callback and CallbackWithoutResult types #10550 thiagokisaki

`v5.13.6`

===================

fix: upgrade mongodb driver -> 3.6.11 #10543 maon-fp
fix(schema): throw more helpful error when defining a document array using a schema from a different copy of the Mongoose module #10453
fix: add explicit check on constructor property to avoid throwing an error when checking objects with null prototypes #10512
fix(cursor): make sure to clear stack every 1000 docs when calling next() to avoid stack overflow with large batch size #10449
fix(index.d.ts): allow calling new Model(...) with generic Model param #10526
fix(index.d.ts): update type declarations of Schema.index method #10538 #10530 Raader
fix(index.d.ts): add useNewUrlParser and useUnifiedTopology to ConnectOptions #10500
fix(index.d.ts): add missing type for diffIndexes #10547 bvgusak
fix(index.d.ts): fixed incorrect type definition for Query's .map function #10544 GCastilho
docs(schema): add more info and examples to Schema#indexes() docs #10446
chore: add types property to package.json #10557 thiagokisaki

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot changed the title ~~chore(deps): update dependency mongoose to 5.13.15 [security]~~ fix(deps): update dependency mongoose to v5.13.15 [security]


          fix(deps): update dependency mongoose to v5.13.20 [security]

cd385ea

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 87d8824 to cd385ea Compare

August 1, 2023 07:26

renovate bot changed the title ~~fix(deps): update dependency mongoose to v5.13.15 [security]~~ fix(deps): update dependency mongoose to v5.13.20 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment