GHSA-724c-6vrf-99rq – loopback

Package

Manager: npm
Name: loopback
Vulnerable Version: >=0 <2.42.0 || >=3.0.0 <3.26.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Sensitive Data Exposure in loopback Versions of `loopback` prior to 3.26.0 (3.x) and 2.42.0 (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. ## Recommendation If you're using `loopback` 3.x upgrade to version 3.26.0 or later. If you're using `loopback` 2.x upgrade to version 2.42.0 or later.

Metadata

Created: 2020-09-02T21:49:48Z
Modified: 2021-09-27T22:31:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-724c-6vrf-99rq/GHSA-724c-6vrf-99rq.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F038
Auto approve: 1