CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS
Percentile
51.3%
Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.
The LiveQueryController now removes protected fields from the client response.
Use Parse.Cloud.afterLiveQueryEvent
to manually remove protected fields.
If you have any questions or comments about this advisory:
github.com/parse-community/parse-server
github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375
github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
github.com/parse-community/parse-server/issues/8073
github.com/parse-community/parse-server/pull/8074
github.com/parse-community/parse-server/releases/tag/5.2.4
github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
nvd.nist.gov/vuln/detail/CVE-2022-31112
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS
Percentile
51.3%