CVE-2019-10790

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-10790

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10790.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10790

Aliases

GHSA-mxhp-79qh-mcx6

Downstream

RHSA-2026:2711

Related

SNYK-JS-TAFFY-546521

Published

2020-02-17T20:15:10.943Z

Modified

2026-02-04T23:05:49.844198Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB.

References

Affected packages

Git / github.com/piscis/taffydb-node

Affected ranges

Type: GIT
Repo: https://github.com/piscis/taffydb-node
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2daaf29120960fd58533ac37295ca6ca8387a083

Affected versions

2.*

2.6.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10790.json"