GMS-2016-25: Private Data Disclosure

April 19, 2016

A malicious user could go to your application and send a request for GET /User?distinct=password and get all the passwords for all the users in the database, despite the field being set to private. This could also be used for other private data if the malicious user knew what was set as private for specific routes.

References

github.com/florianholzapfel/express-restify-mongoose/issues/252

Code Behaviors & Features

Detect and mitigate GMS-2016-25 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →