Description
express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all the passwords for all the users in the database, despite the field being set to private. This can be used for other private data if the malicious user knew what was set as private for specific routes.
Remediation
References
https://github.com/florianholzapfel/express-restify-mongoose/issues/252
https://nodesecurity.io/advisories/92
Related Vulnerabilities
CVE-2021-3856 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2023-23936 Vulnerability in maven package org.webjars.npm:undici
CVE-2022-39236 Vulnerability in npm package matrix-js-sdk
CVE-2021-21292 Vulnerability in maven package org.traccar:traccar
CVE-2019-10425 Vulnerability in maven package org.jvnet.hudson.plugins:gcal