Information Exposure

Affecting mongoose package, versions <4.13.21 || >=5.0.0 <5.7.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

mongoose is a Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Information Exposure. Any query object with a _bsontype attribute is ignored, allowing attackers to bypass access control.

Remediation

Upgrade mongoose to version 4.13.21, 5.7.5 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
xiaofen9
CVE
CVE-2019-17426
CWE
CWE-200
Snyk ID
SNYK-JS-MONGOOSE-472486
Disclosed
10 Jul, 2019
Published
10 Oct, 2019