CVE-2016-10533

Опубликовано: 31 мая 2018

Источник: nvd

CVSS3: 8.8

CVSS2: 4

EPSS Низкий

Описание

express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for GET /User?distinct=password and get all the passwords for all the users in the database, despite the field being set to private. This can be used for other private data if the malicious user knew what was set as private for specific routes.

Ссылки

https://github.com/florianholzapfel/express-restify-mongoose/issues/252
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/92
Exploit
Third Party Advisory
https://github.com/florianholzapfel/express-restify-mongoose/issues/252
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/92
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:express-restify-mongoose_project:express-restify-mongoose:*:*:*:*:*:node.js:*:*

Версия до 2.4.2 (включая)

cpe:2.3:a:express-restify-mongoose_project:express-restify-mongoose:*:*:*:*:*:node.js:*:*

Версия от 3.0.0 (включая) до 3.0.1 (включая)

EPSS

Процентиль: 47%

0.00242

Низкий

8.8 High

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-cgjx-mwpx-47jv

github

больше 7 лет назад

Private Data Disclosure in express-restify-mongoose