Vulnerability Description
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mongoosejs | Mongoose | <= 5.7.4 |
References
- https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afPatch
- https://github.com/Automattic/mongoose/issues/8222Third Party Advisory
- https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afPatch
- https://github.com/Automattic/mongoose/issues/8222Third Party Advisory
FAQ
What is CVE-2019-17426?
CVE-2019-17426 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" c...
How severe is CVE-2019-17426?
CVE-2019-17426 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-17426?
Check the references section above for vendor advisories and patch information. Affected products include: Mongoosejs Mongoose.