Skip to content

Commit fb0240e

Browse files
committed
feat: update last 3 advisories
Signed-off-by: Rifa Achrinza <[email protected]>
1 parent 3b52f1f commit fb0240e

24 files changed

+4839
-905
lines changed

.vscode/settings.json

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,18 @@
55
"json.schemas": [
66
{
77
"fileMatch": [
8-
"advisories/lbsa-*.csaf.json"
8+
"advisories/*/lbsec-*.csaf.json"
99
],
1010
"url": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json"
1111
},
1212
{
1313
"fileMatch": [
14-
"advisories/lbsa-*.osv.json"
14+
"advisories/*/lbsec-*.osv.json"
1515
],
1616
"url": "./vendors/osv-schema/validation/schema.json"
1717
}
18-
]
18+
],
19+
"yaml.schemas": {
20+
"./vendors/local-gemnasium/schema.json": "advisories/*/lbsec-*.gemnasium.yaml"
21+
}
1922
}

advisories/README.md

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -46,12 +46,8 @@ CSAF 2.0 document must also be reflected back in the CSAF 2.0 document itself.
4646

4747
## Vendors
4848

49-
This section depends on [Secvisogram](../vendors/README.md#submodules) for
50-
validation, its ports of JSON Schemas from Draft-04 (No first-class AJV support)
51-
to Draft-2019, and for a strict variant of CSAF 2.0 JSON Schema. There are plans
52-
to utilise the other parts of the codebase for more thorough validation.
53-
54-
It also depends on
49+
This section depends on [Secvisogram](../vendors/README.md#submodules) for CSAF
50+
2.0 validation and the
5551
[Open Source Vulnerability schema](../vendors/README.md#submodules) for JSON
5652
Schema-based OSV validation.
5753

@@ -64,5 +60,4 @@ are future plans to add integration:
6460
| ----------------------------------------------------------------------------------------------------- | ------- |
6561
| Generation of security advisories on [loopback.io website](https://loopback.io/doc/en/sec/index.html) | Planned |
6662
| Publishing as a CSAF Provider through csaf.data.loopback.io | Planned |
67-
| Down-conversion and publication of CVRF 1.2 | Planned |
6863
| Sync with Gitlab Advisory Database | Planned |

advisories/lbsec-20180815-1/lbsec-20180815-1.csaf.json

Lines changed: 1028 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
{
2+
"affected": [
3+
{
4+
"package": {
5+
"ecosystem": "npm",
6+
"name": "loopback-connector-mongodb",
7+
"purl": "pkg:npm/loopback-connector-mongodb"
8+
},
9+
"ranges": [
10+
{
11+
"events": [
12+
{
13+
"introduced": ""
14+
},
15+
{
16+
"fixed": "ee24cd08b8ccc32711264831c71b1da628df357b"
17+
}
18+
],
19+
"repo": "https://github.com/strongloop/loopback-connector-mongodb.git",
20+
"type": "GIT"
21+
},
22+
{
23+
"events": [
24+
{
25+
"introduced": "0"
26+
},
27+
{
28+
"fixed": "3.6.0"
29+
}
30+
],
31+
"type": "SEMVER"
32+
}
33+
],
34+
"versions": [
35+
"1.0.0",
36+
"1.1.0",
37+
"1.1.3",
38+
"1.1.4",
39+
"1.1.5",
40+
"1.1.6",
41+
"1.1.7",
42+
"1.1.8",
43+
"1.2.0",
44+
"1.2.1",
45+
"1.2.2",
46+
"1.2.3",
47+
"1.2.4",
48+
"1.2.5",
49+
"1.2.6",
50+
"1.3.0",
51+
"1.4.0",
52+
"1.4.1",
53+
"1.4.2",
54+
"1.4.3",
55+
"1.4.4",
56+
"1.4.5",
57+
"1.5.0",
58+
"1.6.0",
59+
"1.7.0",
60+
"1.8.0",
61+
"1.9.0",
62+
"1.9.1",
63+
"1.9.2",
64+
"1.10.0",
65+
"1.10.1",
66+
"1.11.0",
67+
"1.11.1",
68+
"1.11.2",
69+
"1.11.3",
70+
"1.12.0",
71+
"1.13.0",
72+
"1.13.1",
73+
"1.13.2",
74+
"1.13.3",
75+
"1.14.0",
76+
"1.15.0",
77+
"1.15.1",
78+
"1.15.2",
79+
"1.17.0",
80+
"1.18.0",
81+
"1.18.1",
82+
"3.0.0",
83+
"3.0.1",
84+
"3.1.0",
85+
"3.2.0",
86+
"3.2.1",
87+
"3.3.0",
88+
"3.3.1",
89+
"3.4.0",
90+
"3.4.1",
91+
"3.4.2",
92+
"3.4.3",
93+
"3.4.4",
94+
"3.5.0"
95+
]
96+
}
97+
],
98+
"aliases": [
99+
"GHSA-hxwc-5vw9-2w4w",
100+
"GHSA-m734-r4g6-34f9",
101+
"GMS-2019-37",
102+
"GMS-2020-360",
103+
"SNYK-JS-LOOPBACKCONNECTORMONGODB-73555"
104+
],
105+
"credits": [
106+
{
107+
"name": "Nelson Brandão",
108+
"urls": ["https://github.com/NelsonBrandao"]
109+
}
110+
],
111+
"database_specific": {
112+
"CWE": "CWE-89"
113+
},
114+
"details": "MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous `$where` property to be passed to the MongoDB Driver. The Driver allows the special `$where` property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an [intended feature of MongoDB](https://docs.mongodb.com/manual/core/server-side-javascript/) unless [disabled (instructions here)](https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js).\n\nAn example malicious query:\n\n```\nGET /POST filter={\"where\": {\"$where\": \"function(){sleep(5000); return this.title.contains('Hello');}\"}}\n```\n\nThe above makes the database sleep for 5 seconds and then returns all \"Posts\" with the title containing the word `Hello`.\n\nThe connector now sanitizes all queries passed to the MongoDB Driver by default and deletes the `$where` and `mapReduce` properties. If you need to use these properties from within LoopBack programatically, you can disable the sanitization by passing in an `options` object with `disableSanitization` property set to `true`:\n\n```js\nPost.find(\n { where: { $where: \"function() { /*dangerous function here*/}\" } },\n { disableSanitization: true },\n (err, p) => {\n // code to handle results / error.\n }\n);\n```",
115+
"id": "LBSEC-20180815-1",
116+
"modified": "1970-01-01T00:00:00.000Z",
117+
"references": [
118+
{
119+
"type": "ADVISORY",
120+
"url": "https://github.com/advisories/GHSA-hxwc-5vw9-2w4w"
121+
},
122+
{
123+
"type": "ADVISORY",
124+
"url": "https://security.loopback.io/en/advisories/csaf/lbsa-20180815-1.csaf.json"
125+
},
126+
{
127+
"type": "ADVISORY",
128+
"url": "https://security.loopback.io/en/advisories/html/lbsa-20180815-1.html"
129+
},
130+
{
131+
"type": "ADVISORY",
132+
"url": "https://security.loopback.io/en/advisories/osv/lbsa-20180815-1.osv.json"
133+
},
134+
{
135+
"type": "ADVISORY",
136+
"url": "https://security.snyk.io/vuln/SNYK-JS-LOOPBACKCONNECTORMONGODB-73555"
137+
},
138+
{
139+
"type": "PACKAGE",
140+
"url": "https://loopback.io"
141+
},
142+
{
143+
"type": "PACKAGE",
144+
"url": "https://www.npmjs.com/package/loopback-connector-mongodb"
145+
},
146+
{
147+
"type": "REPORT",
148+
"url": "https://github.com/loopbackio/loopback-connector-mongodb/issues/403"
149+
},
150+
{
151+
"type": "WEB",
152+
"url": "https://github.com/loopbackio/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b"
153+
},
154+
{
155+
"type": "WEB",
156+
"url": "https://github.com/loopbackio/loopback-connector-mongodb/pull/452"
157+
}
158+
],
159+
"schema_version": "1.2.0",
160+
"severity": [
161+
{
162+
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
163+
"type": "CVSS_V3"
164+
}
165+
],
166+
"summary": "`loopback-connector-mongodb` version 3.5.0 and below allows NoSQL Injections."
167+
}

0 commit comments

Comments
 (0)