From 96a7a70e96027a897cacbebe6c9a4ab83ad769c1 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 25 Jul 2025 12:29:39 -0400 Subject: [PATCH] Improve GHSA-h47j-hc6x-h3qq --- .../12/GHSA-h47j-hc6x-h3qq/GHSA-h47j-hc6x-h3qq.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2019/12/GHSA-h47j-hc6x-h3qq/GHSA-h47j-hc6x-h3qq.json b/advisories/github-reviewed/2019/12/GHSA-h47j-hc6x-h3qq/GHSA-h47j-hc6x-h3qq.json index d651c3f85b3ce..5137d9d96aad3 100644 --- a/advisories/github-reviewed/2019/12/GHSA-h47j-hc6x-h3qq/GHSA-h47j-hc6x-h3qq.json +++ b/advisories/github-reviewed/2019/12/GHSA-h47j-hc6x-h3qq/GHSA-h47j-hc6x-h3qq.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-h47j-hc6x-h3qq", - "modified": "2025-02-07T18:01:54Z", + "modified": "2025-02-07T18:01:55Z", "published": "2019-12-30T19:30:31Z", "aliases": [ "CVE-2019-10758" ], "summary": "Remote Code Execution Vulnerability in NPM mongo-express", - "details": "### Impact\n\nRemote code execution on the host machine by any authenticated user.\n\n### Proof Of Concept\n\nLaunching mongo-express on a Mac, pasting the following into the \"create index\" field will pop open the Mac calculator:\n\n```javascript\nthis.constructor.constructor(\"return process\")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')\n```\n\n### Patches\nUsers should upgrade to version `0.54.0`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n[Snyk Security Advisory](https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215)\n[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n\n#### Thanks\n\n@JLLeitschuh for finding and reporting this vulnerability", + "details": "### Impact\n\nRemote code execution on the host machine by any authenticated user.\n\nThis vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) list.\n\n### Proof Of Concept\n\nLaunching mongo-express on a Mac, pasting the following into the \"create index\" field will pop open the Mac calculator:\n\n```javascript\nthis.constructor.constructor(\"return process\")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')\n```\n\n### Patches\nUsers should upgrade to version `0.54.0`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n- [Snyk Security Advisory](https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758)\n- https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2\n\n#### Thanks\n\n@JLLeitschuh for finding and reporting this vulnerability", "severity": [ { "type": "CVSS_V3", @@ -52,6 +52,14 @@ "type": "WEB", "url": "https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494" }, + { + "type": "WEB", + "url": "https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2" + }, + { + "type": "PACKAGE", + "url": "https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60" + }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"