Lucene search

GitHub Advisory DatabaseGHSA-CRRQ-VR9J-FXXH

HistoryJul 06, 2022 - 7:52 p.m.

Protected fields exposed via LiveQuery

2022-07-0619:52:23

CWE-200

CWE-212

GitHub Advisory Database

github.com

parse server

livequery

protected fields

client response

vulnerability

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.002

Percentile

51.3%

JSON

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

For more information

If you have any questions or comments about this advisory:

For questions or comments about this vulnerability visit our community forum or community chat
Report other vulnerabilities at report.parseplatform.org

Affected configurations

Vulners

Node

parseplatformparse_serverRange5.0.0–5.2.4

parseplatformparse_serverRange<4.10.13

VendorProductVersionCPE
parseplatformparse_server*cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
parseplatform	parse_server	*	cpe:2.3:a:parseplatform:parse_server::::::::

References

github.com/advisories/GHSA-crrq-vr9j-fxxh

github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375

github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1

github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6

github.com/parse-community/parse-server/issues/8073

github.com/parse-community/parse-server/pull/8074

github.com/parse-community/parse-server/releases/tag/5.2.4

github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh

nvd.nist.gov/vuln/detail/CVE-2022-31112

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.002

Percentile

51.3%

JSON

Related for GHSA-CRRQ-VR9J-FXXH