CVE-2019-17426

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-17426

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17426.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-17426

Aliases

GHSA-8687-vv9j-hgph

Published

2019-10-10T02:05:46Z

Modified

2025-01-08T10:24:43.214067Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a bsontype attribute is ignored. For example, adding "bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

References

Affected packages

Git / github.com/automattic/mongoose

Affected ranges

Type: GIT
Repo: https://github.com/automattic/mongoose
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f3eca5b94d822225c04e96cbeed9f095afb3c31c

Fixed

f3eca5b94d822225c04e96cbeed9f095afb3c31c

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

1.*

1.0.1

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.1

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.1.2

1.1.20

1.1.21

1.1.22

1.1.23

1.1.25

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.4.0

1.5.0

1.6.0

1.7.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.10

2.3.11

2.3.12

2.3.13

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.10

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.5.0

2.5.1

2.5.10

2.5.11

2.5.12

2.5.13

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

3.*

3.0.0

3.0.0alpha1

3.0.0alpha2

3.0.0rc0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

3.5.2

3.5.4

3.5.5

3.5.6

3.5.7

3.6.0

3.6.0rc1

3.6.1

3.6.2

3.6.3

3.6.4

3.7.2

3.7.3

3.7.4

3.8.0

3.8.1

3.8.10

3.8.11

3.8.12

3.8.13

3.8.14

3.8.15

3.8.16

3.8.17

3.8.18

3.8.19

3.8.2

3.8.20

3.8.21

3.8.22

3.8.23

3.8.24

3.8.25

3.8.26

3.8.27

3.8.28

3.8.29

3.8.3

3.8.30

3.8.31

3.8.32

3.8.33

3.8.34

3.8.35

3.8.36

3.8.37

3.8.38

3.8.39

3.8.4

3.8.40

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

4.*

4.0.0

4.0.0-rc0

4.0.0-rc1

4.0.0-rc2

4.0.0-rc3

4.0.0-rc4

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.1.0

4.1.1

4.1.10

4.1.11

4.1.12

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.1

4.11.11

4.11.12

4.11.13

4.11.14

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

4.11.7

4.11.8

4.11.9

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.13.0

4.13.1

4.13.10

4.13.11

4.13.12

4.13.13

4.13.14

4.13.17

4.13.18

4.13.19

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.2.0

4.2.1

4.2.10

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.4.0

4.4.1

4.4.10

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.17

4.4.18

4.4.19

4.4.2

4.4.20

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.7.8

4.7.9

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.9.0

4.9.1

4.9.10

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

5.*

5.0.0

5.0.0-rc0

5.0.0-rc1

5.0.0-rc2

5.0.1

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.2.0

5.2.1

5.2.10

5.2.12

5.2.13

5.2.14

5.2.15

5.2.16

5.2.17

5.2.18

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.1

5.3.10

5.3.11

5.3.12

5.3.14

5.3.15

5.3.16

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.4.0

5.4.1

5.4.10

5.4.11

5.4.12

5.4.13

5.4.14

5.4.15

5.4.16

5.4.17

5.4.18

5.4.19

5.4.2

5.4.20

5.4.21

5.4.22

5.4.23

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.5.0

5.5.1

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.5.8

5.5.9

5.6.0

5.6.1

5.6.10

5.6.11

5.6.12

5.6.13

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

5.6.9

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

v4.*

v4.11.13