PT-2020-21106 — Information Disclosure in Strongloop Loopback

PT-2020-21106 · Strongloop · Loopback

Published

2020-09-02

Updated

2020-09-02

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions loopback versions prior to 3.26.0 loopback versions prior to 2.42.0

Description The issue allows sensitive data exposure through invalid API requests to the login endpoint, potentially returning information about the first user in the database. This could be used in conjunction with other attacks for credential theft.

Recommendations If you're using loopback 3.x, upgrade to version 3.26.0 or later. If you're using loopback 2.x, upgrade to version 2.42.0 or later.

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

GHSA-724C-6VRF-99RQ

Affected Products

Loopback

PT-2020-21106 · Strongloop · Loopback

Weakness Enumeration

Related Identifiers

Affected Products

References · 5