GoogleOSV:GHSA-93VW-8FM5-P2JFParse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.7%
Impact
A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.
Patches
Improved keyword detection.
Workarounds
None.
Collaborators
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| parse-server | lt | 4.10.20 | |
| parse-server | ge | 5.0.0 | |
| parse-server | lt | 5.3.3 |
References
github.com/parse-community/parse-server
github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8
github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4
github.com/parse-community/parse-server/pull/8305
github.com/parse-community/parse-server/pull/8306
github.com/parse-community/parse-server/releases/tag/4.10.20
github.com/parse-community/parse-server/releases/tag/5.3.3
github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
nvd.nist.gov/vuln/detail/CVE-2022-41879
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.7%