Improve GHSA-vg7j-7cwx-8wgw

github · Jan 17, 2025 · 9635b78 · 9635b78
1 parent ddfe353
commit 9635b78
Showing 1 changed file with 61 additions and 3 deletions.
diff --git a/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json b/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vg7j-7cwx-8wgw",
-  "modified": "2025-01-16T14:02:22Z",
+  "modified": "2025-01-16T14:02:23Z",
   "published": "2025-01-15T06:30:49Z",
   "aliases": [
     "CVE-2025-23061"
   ],
   "summary": "Mongoose search injection vulnerability",
-  "details": "Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.",
+  "details": "Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.\n\nNOTE: this issue exists because of an incomplete fix for CVE-2024-53900.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -25,14 +25,52 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "8.0.0"
             },
             {
               "fixed": "8.9.5"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "mongoose"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.8.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "mongoose"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.13.6"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -52,6 +90,26 @@
       "type": "WEB",
       "url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Automattic/mongoose/releases/tag/6.13.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Automattic/mongoose/releases/tag/7.8.4"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/Automattic/mongoose/releases/tag/8.9.5"