GHSA-M734-R4G6-34F9
Vulnerability from github – Published: 2019-06-04 19:36 – Updated: 2021-08-04 20:47
VLAI?
Summary
NoSQL Injection in loopback-connector-mongodb
Details
Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.
MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).
A proof of concept malicious query:
GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}
The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.
Recommendation
Update to version 3.6.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "loopback-connector-mongodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-04T19:35:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `loopback-connector-mongodb` before 3.6.0 are vulnerable to NoSQL injection.\n\nMongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous `$where` property to be passed to the MongoDB Driver. The Driver allows the special `$where` property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an [intended feature of MongoDB](https://docs.mongodb.com/manual/core/server-side-javascript/) unless disabled ([instructions here](https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js)).\n\nA proof of concept malicious query:\n\n```\nGET /POST filter={\"where\": {\"$where\": \"function(){sleep(5000); return this.title.contains(\u0027Hello\u0027);}\"}}\n```\n\nThe above makes the database sleep for 5 seconds and then returns all \u201cPosts\u201d with the title containing the word `Hello`.\n\n\n\n\n## Recommendation\n\nUpdate to version 3.6.0 or later.",
"id": "GHSA-m734-r4g6-34f9",
"modified": "2021-08-04T20:47:58Z",
"published": "2019-06-04T19:36:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strongloop/loopback-connector-mongodb/issues/403"
},
{
"type": "WEB",
"url": "https://github.com/strongloop/loopback-connector-mongodb/pull/452"
},
{
"type": "WEB",
"url": "https://github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b"
},
{
"type": "WEB",
"url": "https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/696"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "NoSQL Injection in loopback-connector-mongodb"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…