last updated 23 November 2021
Mongo-express Web-based MongoDB admin interface, written with Node.js and express
These issues are regularly patched. If you would like to see what known vulnerabilities are in your docker images signup to Docker Dash and see your personalised dashboard.
2 Critical 5 High 1 Medium 0 Low
| Id | Severity | Package | Description |
|---|---|---|---|
| CVE-2021-41720 | critical | lodash:4.17.21 | ** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input. |
| CVE-2020-7699 | critical | express-fileupload:0.4.0 | This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. |
| CVE-2021-3807 | high | ansi-regex:3.0.0 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity |
| CVE-2021-3807 | high | ansi-regex:4.1.0 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity |
| CVE-2021-3807 | high | ansi-regex:4.1.0 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity |
| CVE-2021-3807 | high | ansi-regex:4.1.0 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity |
| CVE-2020-8116 | high | dot-prop:3.0.0 | Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. |
| CVE-2020-7598 | medium | minimist:0.0.10 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. |