Remote Memory Exposure

Module: mongoose

Published: April 25th, 2018

Reported by: Сковорода Никита Андреевич

CVE-NONE

CWE-CWE-20

Vulnerable: >=3.5.5 <=3.8.38 || >=4.0.0 <=4.3.5
Patched: >=4.3.6 || >=3.8.39 <4.0.0

Overview

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Remediation

Update to version 4.3.6, 3.8.39 or later.

References