Vulnerable Library - mongodb-4.12.1.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-4.12.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (mongodb version) |
Remediation Possible** |
CVE-2021-32050 |
High |
7.5 |
mongodb-4.12.1.tgz |
Direct |
mongodb - 3.6.10,4.17.0,5.8.0 |
❌ |
CVE-2023-34104 |
High |
7.5 |
fast-xml-parser-4.0.11.tgz |
Transitive |
4.13.0 |
❌ |
CVE-2023-26920 |
Medium |
6.5 |
fast-xml-parser-4.0.11.tgz |
Transitive |
4.13.0 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-32050
Vulnerable Library - mongodb-4.12.1.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-4.12.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
Dependency Hierarchy:
- ❌ mongodb-4.12.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Publish Date: 2023-08-29
URL: CVE-2021-32050
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-vxvm-qww3-2fh7
Release Date: 2023-08-29
Fix Resolution: mongodb - 3.6.10,4.17.0,5.8.0
Step up your Open Source Security Game with Mend here
CVE-2023-34104
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- mongodb-4.12.1.tgz (Root Library)
- credential-providers-3.218.0.tgz
- client-sts-3.218.0.tgz
- ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false
option.
Publish Date: 2023-06-06
URL: CVE-2023-34104
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6w63-h3fj-q4vw
Release Date: 2023-06-06
Fix Resolution (fast-xml-parser): 4.2.4
Direct dependency fix Resolution (mongodb): 4.13.0
Step up your Open Source Security Game with Mend here
CVE-2023-26920
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- mongodb-4.12.1.tgz (Root Library)
- credential-providers-3.218.0.tgz
- client-sts-3.218.0.tgz
- ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Publish Date: 2023-12-12
URL: CVE-2023-26920
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x3cc-x39p-42qx
Release Date: 2023-02-27
Fix Resolution (fast-xml-parser): 4.1.2
Direct dependency fix Resolution (mongodb): 4.13.0
Step up your Open Source Security Game with Mend here