CVE-2020-24391: Input Validation
First published: Tue Mar 30 2021(Updated: )
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mongo-express Project Mongo-express | <=0.54.0 |
Remedy
https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-24391?
The severity of CVE-2020-24391 is critical with a CVSS score of 9.8.
How does CVE-2020-24391 affect mongo-express?
CVE-2020-24391 affects mongo-express versions up to and including 0.54.0.
What is the remedy for CVE-2020-24391 in mongo-express?
The remedy for CVE-2020-24391 in mongo-express is to update to version 2.0.0 or later.
What is the affected package for CVE-2020-24391?
The affected package for CVE-2020-24391 is `mongodb-query-parser`.
Are there any known references for CVE-2020-24391?
Yes, you can find references for CVE-2020-24391 on the NIST National Vulnerability Database (NVD), GitHub issues, and GitHub commits.
- collector/github-advisory-latest
- alias/GHSA-hxmg-hm46-cf62
- alias/CVE-2020-24391
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/weakness
- agent/type
- agent/event
- agent/remedy
- agent/first-publish-date
- agent/tags
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- package-manager/npm
- vendor/mongo-express project
- canonical/mongo-express project mongo-express
- version/mongo-express project mongo-express/0.54.0