Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport _bsontype fix to 4.x #8241

Closed
dyon-assessments opened this issue Oct 11, 2019 · 11 comments
Closed

Backport _bsontype fix to 4.x #8241

dyon-assessments opened this issue Oct 11, 2019 · 11 comments

Comments

@dyon-assessments
Copy link

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Source: MITRE

@vkarpov15
Copy link
Collaborator

That is true. Do you have any suggestions for what to do about this? I've considered deprecating prior versions and/or blog post similar to last year's prototype pollution vulnerability.

@vkarpov15 vkarpov15 added the discussion If you have any thoughts or comments on this issue, please share them! label Oct 17, 2019
@vkarpov15
Copy link
Collaborator

Worth mentioning that this issue is fixed as of 5.7.5: https://github.com/Automattic/mongoose/blob/master/History.md#575--2019-10-14

@jdelta-RBS
Copy link

... What CVE is this?

@vkarpov15
Copy link
Collaborator

@jdelta-RBS I'm not aware of a CVE for this issue. Is there one?

@jdelta-RBS
Copy link

"NOTE: this CVE is about Mongoose's failure..." So maybe he just meant "vulnerability"?

@snoopysecurity
Copy link

I think the vulnerability he mentioned is CVE-2019-17426 which was fixed in 5.7.5

@jdelta-RBS
Copy link

jdelta-RBS commented Oct 28, 2019

@snoopysecurity Yeah seems right. It's always fun to have people just copy-paste stuff from a CVE entry, or auto vuln scanner, and just leave it in a GitHub ticket.
@dyon-assessments Why did you post this? If you checked the references in the CVE, there's a commit.

@bourretp
Copy link

bourretp commented Jul 6, 2020

Is there is any plan to fix version 4.x for this particular issue ?

@vkarpov15
Copy link
Collaborator

@bourretp not currently. Thanks for bringing this up, we will backport this fix.

What is preventing you from upgrading to 5.x?

@vkarpov15 vkarpov15 changed the title allows attackers to bypass access control Backport _bsontype fix to 4.x Jul 10, 2020
@vkarpov15 vkarpov15 removed the discussion If you have any thoughts or comments on this issue, please share them! label Jul 10, 2020
@vkarpov15 vkarpov15 added this to the 5.9.24 milestone Jul 10, 2020
@vkarpov15 vkarpov15 removed this from the 5.9.24 milestone Jul 12, 2020
@bourretp
Copy link

@vkarpov15 After taking a look to the 4 to 5 migration guide, the list of breaking changes is quite long. Without any time/budget to allocate to this migration, I'd rather stick with 4.x as long as it is maintained.

Thanks for the quick backport !

@vkarpov15
Copy link
Collaborator

@bourretp 4.x is not formally maintained anymore. We sometimes backport fixes when people ask for them, but we haven't actively worked on 4.x in over a year. You don't need to upgrade immediately, but I'd recommend you upgrade sooner rather than later. Feel free to reach out if you run into any issues upgrading!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants