Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-FCV6-FG5R-JM9Q
HistorySep 04, 2023 - 10:40 p.m.

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

2023-09-0422:40:41
CWE-670
GitHub Advisory Database
github.com
14
parse pointer
internal classes
`beforefind` trigger
vulnerability
patches
workarounds
security layers
access control
github advisory
parse server 6.x
parse server 5.x

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.0%

JSON

Impact

A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.

Patches

The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the beforeFind trigger.

Workarounds

There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a beforeFind trigger is used as a security layer is to instead use the Parse Server provided security layers to manage access levels with Class-Level Permissions and Object-Level Access Control.

References

Affected configurations

Vulners
Node
parseplatformparse_serverRange6.0.06.2.2
OR
parseplatformparse_serverRange1.0.05.5.5
VendorProductVersionCPE
parseplatformparse_server*cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*

Related

veracode 1
cvelist 1
nvd 1
osv 3
prion 1
cve 1
veracode
veracode
Incorrect Control Flow Implementation
2023-09-05 09:26:39
cvelist
cvelist
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server
2023-09-04 22:39:55
nvd
nvd
CVE-2023-41058
2023-09-04 23:15:47
osv
osv
BIT-parse-2023-41058
2024-03-06 11:00:26
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
2023-09-04 22:40:41
CVE-2023-41058
2023-09-04 23:15:47
prion
prion
Information disclosure
2023-09-04 23:15:00
cve
cve
CVE-2023-41058
2023-09-04 23:15:47

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.0%

JSON
Related for GHSA-FCV6-FG5R-JM9Q
veracode1cvelist1nvd1osv3prion1cve1