Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW14aHAtNzlxaC1tY3g2
TaffyDB can allow access to any data items in the DB
TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. Note: taffy and its successor package taffydb are not maintained.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW14aHAtNzlxaC1tY3g2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-mxhp-79qh-mcx6, CVE-2019-10790
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10790
- https://snyk.io/vuln/SNYK-JS-TAFFY-546521
- https://www.npmjs.com/package/taffy
- https://github.com/advisories/GHSA-mxhp-79qh-mcx6
Affected Packages
npm:taffydb
Dependent packages: 305Dependent repositories: 47,871
Downloads: 2,416,494 last month
Affected Version Ranges: <= 2.7.3
No known fixed version
All affected versions: 0.0.1, 2.6.2, 2.7.2, 2.7.3
npm:taffy
Dependent packages: 13Dependent repositories: 53
Downloads: 343 last month
Affected Version Ranges: <= 2.6.2
No known fixed version
All affected versions: 2.6.2