GoogleOSV:BIT-PARSE-2022-31112BIT-parse-2022-31112
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
51.3%
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.
References
github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
github.com/parse-community/parse-server/issues/8073
github.com/parse-community/parse-server/pull/8074
github.com/parse-community/parse-server/releases/tag/5.2.4
github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
51.3%