9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.7%
A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist
option.
Improved keyword detection.
None.
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | lt | 4.10.20 | |
parse-server | ge | 5.0.0 | |
parse-server | lt | 5.3.3 |
github.com/parse-community/parse-server
github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8
github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4
github.com/parse-community/parse-server/pull/8305
github.com/parse-community/parse-server/pull/8306
github.com/parse-community/parse-server/releases/tag/4.10.20
github.com/parse-community/parse-server/releases/tag/5.3.3
github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
nvd.nist.gov/vuln/detail/CVE-2022-41879