{
  "schema_version": "1.4.0",
  "id": "GHSA-m734-r4g6-34f9",
  "modified": "2021-08-04T20:47:58Z",
  "published": "2019-06-04T19:36:17Z",
  "aliases": [],
  "summary": "NoSQL Injection in loopback-connector-mongodb",
  "details": "Versions of `loopback-connector-mongodb` before 3.6.0 are vulnerable to NoSQL injection.\n\nMongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous `$where` property to be passed to the MongoDB Driver. The Driver allows the special `$where` property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an [intended feature of MongoDB](https://docs.mongodb.com/manual/core/server-side-javascript/) unless disabled ([instructions here](https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js)).\n\nA proof of concept malicious query:\n\n```\nGET /POST filter={\"where\": {\"$where\": \"function(){sleep(5000); return this.title.contains('Hello');}\"}}\n```\n\nThe above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word `Hello`.\n\n\n\n\n## Recommendation\n\nUpdate to version 3.6.0 or later.",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "loopback-connector-mongodb"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strongloop/loopback-connector-mongodb/issues/403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strongloop/loopback-connector-mongodb/pull/452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b"
    },
    {
      "type": "WEB",
      "url": "https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/696"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-04T19:35:47Z",
    "nvd_published_at": null
  }
}