CVE-2019-10790

Name of the Vulnerable Software and Affected Versions taffydb versions up to and including 2.7.3

Description The issue allows attackers to forge adding additional properties into user-input processed by taffy, which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If an index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format, such as T000002R000001. As such, attackers can use this vulnerability to access any data items in the DB.

Recommendations For versions up to and including 2.7.3, consider disabling the use of internal indexes until a patch is available or an alternative solution is implemented. Restrict access to sensitive data items to minimize the risk of exploitation. Avoid using the taffydb module until a maintained successor or a fixed version is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.