CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%
A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind
query trigger which can be an additional vulnerability for deployments where the beforeFind
trigger is used as a security layer to modify an incoming query.
The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the beforeFind
trigger.
There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a beforeFind
trigger is used as a security layer is to instead use the Parse Server provided security layers to manage access levels with Class-Level Permissions and Object-Level Access Control.
Vendor | Product | Version | CPE |
---|---|---|---|
parseplatform | parse_server | * | cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:* |
docs.parseplatform.org/parse-server/guide/#security
github.com/advisories/GHSA-fcv6-fg5r-jm9q
github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5
github.com/parse-community/parse-server/releases/tag/5.5.5
github.com/parse-community/parse-server/releases/tag/6.2.2
github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q
nvd.nist.gov/vuln/detail/CVE-2023-41058