GHSA-hxwc-5vw9-2w4w – loopback-connector-mongodb

Package

Manager: npm
Name: loopback-connector-mongodb
Vulnerable Version: >=0 <3.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

NoSQL Injection in loopback-connector-mongodb Versions of `loopback-connector-mongodb` prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. ## Recommendation Upgrade to version 3.6.0 or later.

Metadata

Created: 2020-09-02T15:52:39Z
Modified: 2021-09-27T15:13:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-hxwc-5vw9-2w4w/GHSA-hxwc-5vw9-2w4w.json
CWE IDs: ["CWE-89"]
Alternative ID: N/A
Finding: F106
Auto approve: 1