Search criteria
64 vulnerabilities found for parse-server by parse-community
CVE-2025-64502 (GCVE-0-2025-64502)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:40 – Updated: 2025-11-12 20:14
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 8.5.0-alpha.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:36:05.360200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:14:25.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.0-alpha.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:40:33.698Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9890",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9890"
},
{
"name": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452"
}
],
"source": {
"advisory": "GHSA-7cx5-254x-cgrq",
"discovery": "UNKNOWN"
},
"title": "Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64502",
"datePublished": "2025-11-10T21:40:33.698Z",
"dateReserved": "2025-11-05T19:12:25.104Z",
"dateUpdated": "2025-11-12T20:14:25.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64430 (GCVE-0-2025-64430)
Vulnerability from cvelistv5 – Published: 2025-11-07 17:55 – Updated: 2025-11-07 18:23
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 4.2.0, < 7.5.4
Affected: >= 8.0.0, <= 8.4.0-alpha.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:22:45.510683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:23:02.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 7.5.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c= 8.4.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server\u0027s file storage as the server crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:55:27.768Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9903",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9903"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9904",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9904"
},
{
"name": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51"
},
{
"name": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585"
}
],
"source": {
"advisory": "GHSA-x4qj-2f4q-r4rx",
"discovery": "UNKNOWN"
},
"title": "Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64430",
"datePublished": "2025-11-07T17:55:27.768Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-07T18:23:02.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53364 (GCVE-0-2025-53364)
Vulnerability from cvelistv5 – Published: 2025-07-10 15:18 – Updated: 2025-07-10 15:52
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 5.3.0, < 7.5.3
Affected: >= 8.0.0, < 8.2.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T15:52:42.588707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T15:52:47.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 7.5.3"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T15:18:24.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9819",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9819"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9820"
}
],
"source": {
"advisory": "GHSA-48q3-prgv-gm4w",
"discovery": "UNKNOWN"
},
"title": "Parse Server exposes the data schema via GraphQL API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53364",
"datePublished": "2025-07-10T15:18:24.855Z",
"dateReserved": "2025-06-27T12:57:16.121Z",
"dateUpdated": "2025-07-10T15:52:47.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30168 (GCVE-0-2025-30168)
Vulnerability from cvelistv5 – Published: 2025-03-21 14:54 – Updated: 2025-03-21 15:12
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.
Severity ?
6.9 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 7.5.2
Affected: >= 8.0.0 ,< 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T15:12:30.748285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T15:12:37.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.2"
},
{
"status": "affected",
"version": "\u003e= 8.0.0 ,\u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T14:54:22.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9667"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9668"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication"
}
],
"source": {
"advisory": "GHSA-837q-jhwx-cmpv",
"discovery": "UNKNOWN"
},
"title": "Parse Server has an OAuth login vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30168",
"datePublished": "2025-03-21T14:54:22.369Z",
"dateReserved": "2025-03-17T12:41:42.569Z",
"dateUpdated": "2025-03-21T15:12:37.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47183 (GCVE-0-2024-47183)
Vulnerability from cvelistv5 – Published: 2024-10-04 15:06 – Updated: 2024-10-04 15:30
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
Severity ?
8.1 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.9
Affected: >= 7.0.0, < 7.3.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.3.0",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T15:24:37.759909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T15:28:10.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.9"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T15:30:37.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9317",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9317"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9318",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9318"
},
{
"name": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc"
},
{
"name": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f"
}
],
"source": {
"advisory": "GHSA-8xq9-g7ch-35hg",
"discovery": "UNKNOWN"
},
"title": "Parse Server\u0027s custom object ID allows to acquire role privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47183",
"datePublished": "2024-10-04T15:06:45.274Z",
"dateReserved": "2024-09-19T22:32:11.963Z",
"dateUpdated": "2024-10-04T15:30:37.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39309 (GCVE-0-2024-39309)
Vulnerability from cvelistv5 – Published: 2024-07-01 21:15 – Updated: 2024-08-02 04:19
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.7
Affected: >= 7.0.0, < 7.1.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"status": "affected",
"version": "6.5.7"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T17:29:00.388525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T17:32:40.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9167",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/9167"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9168",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/9168"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3"
},
{
"name": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.7"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T21:15:26.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9167",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9167"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9168"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3"
},
{
"name": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b"
}
],
"source": {
"advisory": "GHSA-c2hr-cqg6-8j6r",
"discovery": "UNKNOWN"
},
"title": "ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39309",
"datePublished": "2024-07-01T21:15:26.242Z",
"dateReserved": "2024-06-21T18:15:22.260Z",
"dateUpdated": "2024-08-02T04:19:20.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29027 (GCVE-0-2024-29027)
Vulnerability from cvelistv5 – Published: 2024-03-19 18:57 – Updated: 2024-08-02 14:42
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
Severity ?
9.1 (Critical)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.5
Affected: >= 7.0.0-alpha.1, < 7.0.0-alpha.29 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b"
},
{
"name": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.0.0-alpha.29",
"status": "affected",
"version": "7.0.0-alpha.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T14:37:25.176000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:42:21.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.5"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-alpha.1, \u003c 7.0.0-alpha.29"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T18:57:24.782Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b"
},
{
"name": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29"
}
],
"source": {
"advisory": "GHSA-6hh7-46r2-vf29",
"discovery": "UNKNOWN"
},
"title": "Parse Server crash and RCE via invalid Cloud Function or Cloud Job name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29027",
"datePublished": "2024-03-19T18:57:24.782Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T14:42:21.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27298 (GCVE-0-2024-27298)
Vulnerability from cvelistv5 – Published: 2024-03-01 17:48 – Updated: 2024-08-22 18:28
VLAI?
Summary
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.0
Affected: >= 7.0.0-alpha.1, < 7.0.0-alpha.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"
},
{
"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"
},
{
"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "parse-server",
"vendor": "parseplatform",
"versions": [
{
"lessThan": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.0.0-alpha.20",
"status": "affected",
"version": "7.0.0-alpha.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27298",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T15:39:53.508702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:28:04.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.0"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-alpha.1, \u003c 7.0.0-alpha.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-01T17:48:52.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"
},
{
"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"
},
{
"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"
}
],
"source": {
"advisory": "GHSA-6927-3vr9-fxf2",
"discovery": "UNKNOWN"
},
"title": "Parse Server literalizeRegexPart SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27298",
"datePublished": "2024-03-01T17:48:52.919Z",
"dateReserved": "2024-02-22T18:08:38.875Z",
"dateUpdated": "2024-08-22T18:28:04.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46119 (GCVE-0-2023-46119)
Vulnerability from cvelistv5 – Published: 2023-10-25 00:03 – Updated: 2024-09-10 15:56
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 1.0.0, < 5.5.6
Affected: >= 6.0.0, < 6.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
},
{
"name": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
},
{
"name": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.3.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "5.5.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:28:20.838525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:56:13.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 5.5.6"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T00:03:55.774Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
},
{
"name": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
},
{
"name": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
}
],
"source": {
"advisory": "GHSA-792q-q67h-w579",
"discovery": "UNKNOWN"
},
"title": "Parse Server may crash when uploading file without extension"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46119",
"datePublished": "2023-10-25T00:03:55.774Z",
"dateReserved": "2023-10-16T17:51:35.571Z",
"dateUpdated": "2024-09-10T15:56:13.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41058 (GCVE-0-2023-41058)
Vulnerability from cvelistv5 – Published: 2023-09-04 22:39 – Updated: 2024-09-30 17:43
VLAI?
Summary
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.
Severity ?
7.5 (High)
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 1.0.0, < 5.5.5
Affected: >= 6.0.0, < 6.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q"
},
{
"name": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#security",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#security"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:43:38.959274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:43:48.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 5.5.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server\u0027s security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-04T22:39:55.276Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q"
},
{
"name": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#security",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#security"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2"
}
],
"source": {
"advisory": "GHSA-fcv6-fg5r-jm9q",
"discovery": "UNKNOWN"
},
"title": "Trigger `beforeFind` not invoked in internal query pipeline in parse-server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41058",
"datePublished": "2023-09-04T22:39:55.276Z",
"dateReserved": "2023-08-22T16:57:23.934Z",
"dateUpdated": "2024-09-30T17:43:48.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36475 (GCVE-0-2023-36475)
Vulnerability from cvelistv5 – Published: 2023-06-28 22:32 – Updated: 2024-11-27 14:44
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
Severity ?
9.8 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.5.2
Affected: >= 6.0.0, < 6.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8674",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/issues/8674"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8675",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/issues/8675"
},
{
"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T14:43:51.427204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T14:44:09.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-28T22:32:10.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8674",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/issues/8674"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8675",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/issues/8675"
},
{
"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
}
],
"source": {
"advisory": "GHSA-462x-c3jw-7vr6",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36475",
"datePublished": "2023-06-28T22:32:10.081Z",
"dateReserved": "2023-06-21T18:50:41.703Z",
"dateUpdated": "2024-11-27T14:44:09.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32689 (GCVE-0-2023-32689)
Vulnerability from cvelistv5 – Published: 2023-05-30 17:27 – Updated: 2025-01-10 19:07
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.
An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.
The fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default.
Severity ?
6.3 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.4.4
Affected: >= 6.0.0, < 6.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8537",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/8537"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8538",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/8538"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T19:07:11.023039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T19:07:30.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company\u0027s official website domain.\n\nAn additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser\u0027s local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user\u0027s session token from local storage and then share it with the attacker.\n\nThe fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `[\u0027.*\u0027]` or another custom value to override the default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T17:27:18.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8537",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/8537"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8538",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/8538"
}
],
"source": {
"advisory": "GHSA-9prm-jqwx-45x9",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32689",
"datePublished": "2023-05-30T17:27:18.120Z",
"dateReserved": "2023-05-11T16:33:45.732Z",
"dateUpdated": "2025-01-10T19:07:30.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22474 (GCVE-0-2023-22474)
Vulnerability from cvelistv5 – Published: 2023-02-03 19:57 – Updated: 2024-08-02 10:13
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`.
Severity ?
8.7 (High)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230309-0005/"
},
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x"
},
{
"name": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parseplatform",
"versions": [
{
"lessThan": "5.4.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T17:36:20.113790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T17:45:40.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn\u0027t run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T19:57:09.413Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x"
},
{
"name": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8"
}
],
"source": {
"advisory": "GHSA-vm5r-c87r-pf6x",
"discovery": "UNKNOWN"
},
"title": "Parse Server is vulnerable to authentication bypass via spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22474",
"datePublished": "2023-02-03T19:57:09.413Z",
"dateReserved": "2022-12-29T03:00:40.881Z",
"dateUpdated": "2024-08-02T10:13:48.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39396 (GCVE-0-2022-39396)
Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.
Severity ?
9.8 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 4.10.18
Affected: >= 5.0.0, < 5.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:07:41.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:14.422123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:38:53.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.18"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
}
],
"source": {
"advisory": "GHSA-prm5-8g2m-24gg",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39396",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:38:53.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41879 (GCVE-0-2022-41879)
Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.
Severity ?
7.2 (High)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 4.10.20
Affected: >= 5.0.0, < 5.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:46:47.002055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:38:21.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.20"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
}
],
"source": {
"advisory": "GHSA-93vw-8fm5-p2jf",
"discovery": "UNKNOWN"
},
"title": "Parse Server subject to Prototype pollution via Cloud Code Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41879",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:38:21.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64502 (GCVE-0-2025-64502)
Vulnerability from nvd – Published: 2025-11-10 21:40 – Updated: 2025-11-12 20:14
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 8.5.0-alpha.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:36:05.360200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:14:25.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.0-alpha.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:40:33.698Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9890",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9890"
},
{
"name": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452"
}
],
"source": {
"advisory": "GHSA-7cx5-254x-cgrq",
"discovery": "UNKNOWN"
},
"title": "Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64502",
"datePublished": "2025-11-10T21:40:33.698Z",
"dateReserved": "2025-11-05T19:12:25.104Z",
"dateUpdated": "2025-11-12T20:14:25.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64430 (GCVE-0-2025-64430)
Vulnerability from nvd – Published: 2025-11-07 17:55 – Updated: 2025-11-07 18:23
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 4.2.0, < 7.5.4
Affected: >= 8.0.0, <= 8.4.0-alpha.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:22:45.510683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:23:02.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 7.5.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c= 8.4.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server\u0027s file storage as the server crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:55:27.768Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9903",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9903"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9904",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9904"
},
{
"name": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51"
},
{
"name": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585"
}
],
"source": {
"advisory": "GHSA-x4qj-2f4q-r4rx",
"discovery": "UNKNOWN"
},
"title": "Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64430",
"datePublished": "2025-11-07T17:55:27.768Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-07T18:23:02.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53364 (GCVE-0-2025-53364)
Vulnerability from nvd – Published: 2025-07-10 15:18 – Updated: 2025-07-10 15:52
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 5.3.0, < 7.5.3
Affected: >= 8.0.0, < 8.2.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T15:52:42.588707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T15:52:47.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 7.5.3"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T15:18:24.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9819",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9819"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9820"
}
],
"source": {
"advisory": "GHSA-48q3-prgv-gm4w",
"discovery": "UNKNOWN"
},
"title": "Parse Server exposes the data schema via GraphQL API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53364",
"datePublished": "2025-07-10T15:18:24.855Z",
"dateReserved": "2025-06-27T12:57:16.121Z",
"dateUpdated": "2025-07-10T15:52:47.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30168 (GCVE-0-2025-30168)
Vulnerability from nvd – Published: 2025-03-21 14:54 – Updated: 2025-03-21 15:12
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.
Severity ?
6.9 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 7.5.2
Affected: >= 8.0.0 ,< 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T15:12:30.748285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T15:12:37.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.2"
},
{
"status": "affected",
"version": "\u003e= 8.0.0 ,\u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T14:54:22.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9667"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9668"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication"
}
],
"source": {
"advisory": "GHSA-837q-jhwx-cmpv",
"discovery": "UNKNOWN"
},
"title": "Parse Server has an OAuth login vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30168",
"datePublished": "2025-03-21T14:54:22.369Z",
"dateReserved": "2025-03-17T12:41:42.569Z",
"dateUpdated": "2025-03-21T15:12:37.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47183 (GCVE-0-2024-47183)
Vulnerability from nvd – Published: 2024-10-04 15:06 – Updated: 2024-10-04 15:30
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
Severity ?
8.1 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.9
Affected: >= 7.0.0, < 7.3.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.3.0",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T15:24:37.759909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T15:28:10.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.9"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T15:30:37.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9317",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9317"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9318",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9318"
},
{
"name": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc"
},
{
"name": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f"
}
],
"source": {
"advisory": "GHSA-8xq9-g7ch-35hg",
"discovery": "UNKNOWN"
},
"title": "Parse Server\u0027s custom object ID allows to acquire role privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47183",
"datePublished": "2024-10-04T15:06:45.274Z",
"dateReserved": "2024-09-19T22:32:11.963Z",
"dateUpdated": "2024-10-04T15:30:37.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39309 (GCVE-0-2024-39309)
Vulnerability from nvd – Published: 2024-07-01 21:15 – Updated: 2024-08-02 04:19
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.7
Affected: >= 7.0.0, < 7.1.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"status": "affected",
"version": "6.5.7"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T17:29:00.388525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T17:32:40.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9167",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/9167"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9168",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/9168"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3"
},
{
"name": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.7"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T21:15:26.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9167",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9167"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9168"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3"
},
{
"name": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b"
}
],
"source": {
"advisory": "GHSA-c2hr-cqg6-8j6r",
"discovery": "UNKNOWN"
},
"title": "ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39309",
"datePublished": "2024-07-01T21:15:26.242Z",
"dateReserved": "2024-06-21T18:15:22.260Z",
"dateUpdated": "2024-08-02T04:19:20.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29027 (GCVE-0-2024-29027)
Vulnerability from nvd – Published: 2024-03-19 18:57 – Updated: 2024-08-02 14:42
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
Severity ?
9.1 (Critical)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.5
Affected: >= 7.0.0-alpha.1, < 7.0.0-alpha.29 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b"
},
{
"name": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.0.0-alpha.29",
"status": "affected",
"version": "7.0.0-alpha.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T14:37:25.176000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:42:21.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.5"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-alpha.1, \u003c 7.0.0-alpha.29"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T18:57:24.782Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b"
},
{
"name": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29"
}
],
"source": {
"advisory": "GHSA-6hh7-46r2-vf29",
"discovery": "UNKNOWN"
},
"title": "Parse Server crash and RCE via invalid Cloud Function or Cloud Job name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29027",
"datePublished": "2024-03-19T18:57:24.782Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T14:42:21.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27298 (GCVE-0-2024-27298)
Vulnerability from nvd – Published: 2024-03-01 17:48 – Updated: 2024-08-22 18:28
VLAI?
Summary
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 6.5.0
Affected: >= 7.0.0-alpha.1, < 7.0.0-alpha.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"
},
{
"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"
},
{
"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "parse-server",
"vendor": "parseplatform",
"versions": [
{
"lessThan": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.0.0-alpha.20",
"status": "affected",
"version": "7.0.0-alpha.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27298",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T15:39:53.508702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:28:04.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.0"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-alpha.1, \u003c 7.0.0-alpha.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-01T17:48:52.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"
},
{
"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"
},
{
"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"
}
],
"source": {
"advisory": "GHSA-6927-3vr9-fxf2",
"discovery": "UNKNOWN"
},
"title": "Parse Server literalizeRegexPart SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27298",
"datePublished": "2024-03-01T17:48:52.919Z",
"dateReserved": "2024-02-22T18:08:38.875Z",
"dateUpdated": "2024-08-22T18:28:04.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46119 (GCVE-0-2023-46119)
Vulnerability from nvd – Published: 2023-10-25 00:03 – Updated: 2024-09-10 15:56
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 1.0.0, < 5.5.6
Affected: >= 6.0.0, < 6.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
},
{
"name": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
},
{
"name": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.3.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "5.5.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:parse_community:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parse_community",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:28:20.838525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:56:13.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 5.5.6"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T00:03:55.774Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
},
{
"name": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
},
{
"name": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
}
],
"source": {
"advisory": "GHSA-792q-q67h-w579",
"discovery": "UNKNOWN"
},
"title": "Parse Server may crash when uploading file without extension"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46119",
"datePublished": "2023-10-25T00:03:55.774Z",
"dateReserved": "2023-10-16T17:51:35.571Z",
"dateUpdated": "2024-09-10T15:56:13.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41058 (GCVE-0-2023-41058)
Vulnerability from nvd – Published: 2023-09-04 22:39 – Updated: 2024-09-30 17:43
VLAI?
Summary
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.
Severity ?
7.5 (High)
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 1.0.0, < 5.5.5
Affected: >= 6.0.0, < 6.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q"
},
{
"name": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#security",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#security"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:43:38.959274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:43:48.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 5.5.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server\u0027s security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-04T22:39:55.276Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q"
},
{
"name": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#security",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#security"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2"
}
],
"source": {
"advisory": "GHSA-fcv6-fg5r-jm9q",
"discovery": "UNKNOWN"
},
"title": "Trigger `beforeFind` not invoked in internal query pipeline in parse-server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41058",
"datePublished": "2023-09-04T22:39:55.276Z",
"dateReserved": "2023-08-22T16:57:23.934Z",
"dateUpdated": "2024-09-30T17:43:48.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36475 (GCVE-0-2023-36475)
Vulnerability from nvd – Published: 2023-06-28 22:32 – Updated: 2024-11-27 14:44
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
Severity ?
9.8 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.5.2
Affected: >= 6.0.0, < 6.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8674",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/issues/8674"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8675",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/issues/8675"
},
{
"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T14:43:51.427204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T14:44:09.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-28T22:32:10.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8674",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/issues/8674"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8675",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/issues/8675"
},
{
"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
}
],
"source": {
"advisory": "GHSA-462x-c3jw-7vr6",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36475",
"datePublished": "2023-06-28T22:32:10.081Z",
"dateReserved": "2023-06-21T18:50:41.703Z",
"dateUpdated": "2024-11-27T14:44:09.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32689 (GCVE-0-2023-32689)
Vulnerability from nvd – Published: 2023-05-30 17:27 – Updated: 2025-01-10 19:07
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.
An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.
The fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default.
Severity ?
6.3 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.4.4
Affected: >= 6.0.0, < 6.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8537",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/8537"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8538",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/pull/8538"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T19:07:11.023039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T19:07:30.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company\u0027s official website domain.\n\nAn additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser\u0027s local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user\u0027s session token from local storage and then share it with the attacker.\n\nThe fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `[\u0027.*\u0027]` or another custom value to override the default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T17:27:18.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8537",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/8537"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8538",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/8538"
}
],
"source": {
"advisory": "GHSA-9prm-jqwx-45x9",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32689",
"datePublished": "2023-05-30T17:27:18.120Z",
"dateReserved": "2023-05-11T16:33:45.732Z",
"dateUpdated": "2025-01-10T19:07:30.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22474 (GCVE-0-2023-22474)
Vulnerability from nvd – Published: 2023-02-03 19:57 – Updated: 2024-08-02 10:13
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`.
Severity ?
8.7 (High)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 5.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230309-0005/"
},
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x"
},
{
"name": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "parse_server",
"vendor": "parseplatform",
"versions": [
{
"lessThan": "5.4.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T17:36:20.113790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T17:45:40.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn\u0027t run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T19:57:09.413Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x"
},
{
"name": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8"
}
],
"source": {
"advisory": "GHSA-vm5r-c87r-pf6x",
"discovery": "UNKNOWN"
},
"title": "Parse Server is vulnerable to authentication bypass via spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22474",
"datePublished": "2023-02-03T19:57:09.413Z",
"dateReserved": "2022-12-29T03:00:40.881Z",
"dateUpdated": "2024-08-02T10:13:48.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39396 (GCVE-0-2022-39396)
Vulnerability from nvd – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.
Severity ?
9.8 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 4.10.18
Affected: >= 5.0.0, < 5.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:07:41.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:14.422123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:38:53.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.18"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
}
],
"source": {
"advisory": "GHSA-prm5-8g2m-24gg",
"discovery": "UNKNOWN"
},
"title": "Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39396",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:38:53.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41879 (GCVE-0-2022-41879)
Vulnerability from nvd – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38
VLAI?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.
Severity ?
7.2 (High)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 4.10.20
Affected: >= 5.0.0, < 5.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:46:47.002055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:38:21.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.20"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
}
],
"source": {
"advisory": "GHSA-93vw-8fm5-p2jf",
"discovery": "UNKNOWN"
},
"title": "Parse Server subject to Prototype pollution via Cloud Code Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41879",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:38:21.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}