What is the severity of CVE-2019-17426?

CVE-2019-17426 is classified as a medium severity vulnerability due to its potential to allow unauthorized access in certain applications.

How do I fix CVE-2019-17426?

To fix CVE-2019-17426, upgrade Mongoose to version 5.7.5 or later, or to version 4.13.21.

What software is affected by CVE-2019-17426?

CVE-2019-17426 affects Mongoose versions up to and including 5.7.4.

What are the implications of CVE-2019-17426?

CVE-2019-17426 allows attackers to bypass access control measures by manipulating query filters using specific attributes.

Is CVE-2019-17426 fixed in later versions of Mongoose?

Yes, CVE-2019-17426 is fixed in Mongoose version 5.7.5 and version 4.13.21.

Vulnerability/
CVE-2019-17426

critical

9.1

CWE

10/10/2019

22/10/2019

5/8/2024

CVE-2019-17426: Input Validation

First published: Thu Oct 10 2019(Updated: )

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
npm/mongoose	<4.13.21	4.13.21
npm/mongoose	>=5.0.0<5.7.5	5.7.5
Mongoose	<=5.7.4

Remedy

https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-17426?
CVE-2019-17426 is classified as a medium severity vulnerability due to its potential to allow unauthorized access in certain applications.
How do I fix CVE-2019-17426?
To fix CVE-2019-17426, upgrade Mongoose to version 5.7.5 or later, or to version 4.13.21.
What software is affected by CVE-2019-17426?
CVE-2019-17426 affects Mongoose versions up to and including 5.7.4.
What are the implications of CVE-2019-17426?
CVE-2019-17426 allows attackers to bypass access control measures by manipulating query filters using specific attributes.
Is CVE-2019-17426 fixed in later versions of Mongoose?
Yes, CVE-2019-17426 is fixed in Mongoose version 5.7.5 and version 4.13.21.

collector/github-advisory-latest
alias/GHSA-8687-vv9j-hgph
alias/CVE-2019-17426
collector/github-advisory
agent/author
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/remedy
agent/weakness
agent/severity
agent/last-modified-date
agent/event
agent/description
agent/first-publish-date
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/npm
vendor/mongoosejs
canonical/mongoose
version/mongoose/5.7.4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.