CVE-2019-17426

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Published: Oct 10, 2019
Updated: May 9, 2024
CVE: CVE-2019-17426
GHSA: GHSA-8687-vv9j-hgph
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
mongoosejs / mongoose	-	5.7.4.x
mongoose	5.0.0	5.7.5
mongoose	-	4.13.21

https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c
https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e
https://github.com/Automattic/mongoose/commits/4.13.21
https://github.com/Automattic/mongoose/issues/8222
https://github.com/Automattic/mongoose/releases/tag/4.13.21

Vulnerability Database

CVE-2019-17426

Deep Security Visibility Without the Complexity