CVE-2019-10790
Access Control vulnerability in taffy (npm)
What is CVE-2019-10790 About?
This vulnerability in TaffyDB allows attackers to forge internal database indexes, leading to unauthorized access to arbitrary data items. By supplying a specially crafted input, an attacker can bypass query conditions and retrieve any data. Exploitation is relatively straightforward due to the guessable index format.
Affected Software
- taffy
- <=2.6.2
- taffydb
- <=2.7.3
Technical Details
TaffyDB maintains an internal index for each data item, typically in a predictable format (e.g., T000002R000001). The vulnerability arises because TaffyDB allows user input to forge or inject additional properties, including this internal index. When an attacker provides a query that includes a forged index, the database bypasses other query conditions and directly returns the indexed data item. Due to the easily guessable nature of the index format, an attacker can enumerate and directly request specific indexed items, circumventing intended access controls and accessing any data within the database. This is a logical bypass of the query mechanism.
What is the Impact of CVE-2019-10790?
Successful exploitation may allow attackers to bypass access controls, gain unauthorized access to sensitive database entries, and exfiltrate confidential information from the database.
What is the Exploitability of CVE-2019-10790?
Exploitation of this access control vulnerability is of low to moderate complexity. An attacker needs to be able to supply user input to a TaffyDB instance. Specifically, they need to craft a query that includes a forged internal index. No authentication is explicitly required beyond what an ordinary user capable of querying the database would possess. This is typically a remote attack if the database or application using TaffyDB is exposed. The primary prerequisite is the use of the unmaintained taffy or taffydb packages. The predictable format of internal indexes significantly increases the ease and likelihood of successful exploitation, as attackers can systematically guess and query valid indexes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10790?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mxhp-79qh-mcx6
- https://snyk.io/vuln/SNYK-JS-TAFFY-546521
- https://snyk.io/vuln/SNYK-JS-TAFFY-546521
- https://www.npmjs.com/package/taffydb
- https://www.npmjs.com/package/taffy
- https://nvd.nist.gov/vuln/detail/CVE-2019-10790
- https://security.snyk.io/vuln/SNYK-JS-TAFFYDB-2992450
What are Similar Vulnerabilities to CVE-2019-10790?
Similar Vulnerabilities: CVE-2023-38507 , CVE-2023-3758 , CVE-2023-28704 , CVE-2022-24357 , CVE-2022-42921
