CVE-2019-17426
published 2019-10-10CVE-2019-17426: Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is…
PriorityP349critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.66%
73.7th percentile
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cesanta | mongoose | >= 0 < 4.13.21 | 4.13.21 |
| cesanta | mongoose | >= 5.0.0 < 5.7.5 | 5.7.5 |
| mongoosejs | mongoose | <= 5.7.4 | — |
| seal-security | mongoose-fixed | >= 5.3.3 < 5.3.4 | 5.3.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype Pollution in ali-security/mongoose
ghsa·2023-10-17·CVSS 9.1
CVE-2023-3696 [CRITICAL] CWE-1321 Prototype Pollution in ali-security/mongoose
Prototype Pollution in ali-security/mongoose
### Impact
This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.
### Patches
The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4
### References
https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://gi
OSV
Prototype Pollution in ali-security/mongoose
osv·2023-10-17·CVSS 9.1
CVE-2023-3696 [CRITICAL] Prototype Pollution in ali-security/mongoose
Prototype Pollution in ali-security/mongoose
### Impact
This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.
### Patches
The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4
### References
https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
https://gi
GHSA
Improper Input Validation in Automattic Mongoose
ghsa·2019-10-22
CVE-2019-17426 [CRITICAL] CWE-20 Improper Input Validation in Automattic Mongoose
Improper Input Validation in Automattic Mongoose
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a `_bsontype` attribute is ignored. For example, adding `"_bsontype":"a"` can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
OSV
Improper Input Validation in Automattic Mongoose
osv·2019-10-22
CVE-2019-17426 [CRITICAL] Improper Input Validation in Automattic Mongoose
Improper Input Validation in Automattic Mongoose
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a `_bsontype` attribute is ignored. For example, adding `"_bsontype":"a"` can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-10-10
Published