Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found potential security vulnerability but got no response #12085

Closed
2 tasks done
vovikhangcdv opened this issue Jul 9, 2022 · 4 comments
Closed
2 tasks done

Found potential security vulnerability but got no response #12085

vovikhangcdv opened this issue Jul 9, 2022 · 4 comments
Assignees
@vkarpov15
Milestone
6.4.6

Comments

@vovikhangcdv
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the issue has not already been raised

Issue

Hi there,

I have found a potentially high-security issue in mongoose. I had tried to connect Tidelift's and also through maintainers email but got no response too. I don't create a full disclosure issue there cause it could affect the users. So please get in touch with me through email doublevkay@gmail.com or just access the report on https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd/ (only private accessible by maintainers).

Thank you.
@vovikhangcdv
Copy link
Author

Hi there, any update?

@Uzlopak
Copy link
Collaborator

Uzlopak commented Jul 14, 2022

Ok, as a collaborator i have access to it. I actually thought that this type of attack vector will be reported. I myself reported like 4 reports like this to other projects last week.

I will have a thought on this on how we can patch this.

@vovikhangcdv
Copy link
Author

Thanks for your response @Uzlopak,
If there are any things you need to clarify, I would be glad to help.

@vkarpov15
Copy link
Collaborator

Hi, I'm sorry for the delay, I missed this email. I'll discuss the issue in huntr.

@vkarpov15 vkarpov15 reopened this Jul 18, 2022
@vkarpov15 vkarpov15 added this to the 6.4.6 milestone Jul 18, 2022
vkarpov15 added a commit that referenced this issue Jul 20, 2022
@vkarpov15
Merge branch 'master' into vkarpov15/gh-12085
92cb6fb
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
shubanker pushed a commit to shubanker/mongoose that referenced this issue Aug 19, 2022
@vkarpov15 @shubanker
fix(schema): disallow setting __proto__ when creating schema with dot…
6a19731 
…ted properties

Fix Automattic#12085
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vkarpov15 vkarpov15

Labels
None yet
Projects
None yet
Milestone
6.4.6
Development

No branches or pull requests
3 participants
@vkarpov15 @Uzlopak @vovikhangcdv