CVE-2019-17426

Name of the Vulnerable Software and Affected Versions Automattic Mongoose versions through 5.7.4

Description The issue allows attackers to bypass access control in some applications because any query object with a bsontype attribute is ignored. For example, adding bsontype:"a" can sometimes interfere with a query filter. This is related to Mongoose's failure to work around the bsontype special case that exists in older versions of the bson parser.

Recommendations For versions through 5.7.4, consider updating to a version that addresses this issue, as the current version allows attackers to bypass access control by exploiting the bsontype attribute in query objects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.