CVE-2019-17426
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Automattic Mongoose versiones hasta 5.7.4, permite a atacantes omitir el control de acceso (en algunas aplicaciones) porque cualquier objeto de consulta con un atributo _bsontype es ignorado. Por ejemplo, agregar "_bsontype":"a" a veces puede interferir con un filtro de consulta. NOTA: este CVE trata sobre el fallo de Mongoose para trabajar alrededor de este caso especial de _bsontype que existe en versiones anteriores del analizador bson (tambiƩn se conoce como el proyecto mongodb/js-bson).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-10-10 CVE Reserved
- 2019-10-10 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/Automattic/mongoose/issues/8222 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c | 2021-07-21 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mongoosejs Search vendor "Mongoosejs" | Mongoose Search vendor "Mongoosejs" for product "Mongoose" | <= 5.7.4 Search vendor "Mongoosejs" for product "Mongoose" and version " <= 5.7.4" | node.js |
Affected
|