SQL Injection

Affecting loopback-connector-mongodb package, versions <3.6.0

Do your applications use this vulnerable package? Test your applications

Overview

loopback-connector-mongodb is the official MongoDB connector for the LoopBack framework.

Affected versions of this package are vulnerable to SQL Injection. Improper sanitising of filters passed to the database query, may cause code execution on the database driver and may also lead to data leakage.

Remediation

Upgrade loopback-connector-mongodb to version 3.6.0 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O
Credit
Nelson Brandão
CWE
CWE-89
Snyk ID
SNYK-JS-LOOPBACKCONNECTORMONGODB-73555
Disclosed
15 Jan, 2019
Published
20 Jan, 2019