Vulnerability Description
express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all the passwords for all the users in the database, despite the field being set to private. This can be used for other private data if the malicious user knew what was set as private for specific routes.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Express-Restify-Mongoose Project | Express-Restify-Mongoose | <= 2.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/florianholzapfel/express-restify-mongoose/issues/252Issue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/92ExploitThird Party Advisory
- https://github.com/florianholzapfel/express-restify-mongoose/issues/252Issue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/92ExploitThird Party Advisory
FAQ
What is CVE-2016-10533?
CVE-2016-10533 is a vulnerability with a CVSS score of 8.8 (HIGH). express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send ...
How severe is CVE-2016-10533?
CVE-2016-10533 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10533?
Check the references section above for vendor advisories and patch information. Affected products include: Express-Restify-Mongoose Project Express-Restify-Mongoose.