"example" package flagged for CVE-2019-17426
richgerrard opened this issue · 3 comments
Line ref:
Scan result:
Severity | moderate
Package | mongoose
CVE | CVE-2019-17426
Fix Status | fixed in 5.7.5
Description |
Impacted versions: <5.7.5
Discovered: 12 days ago
Published: >12 months ago
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
~~
Background:
We include the terminus package in some of our images; when scanned during the CI process, this image is flagged for including another package with a known CVE, which has fixes available.
Ideally, not including pinned packages in the example directory would fix this issue.
Upgrading it to a version that is not vulnerable would also suffice.
@richgerrard would you mind sending a PR fixing it?
@gergelyke @richgerrard I've submitted a PR which should address this issue. #159
Hey folks, I see that a fix for this has been merged and a 4.4.2 version has been tagged. Any idea when we can expect this new version sans examples to be released to npm?