GHSA-CRRQ-VR9J-FXXH

Vulnerability from github – Published: 2022-07-06 19:52 – Updated: 2022-07-06 19:52
VLAI?
Summary
Protected fields exposed via LiveQuery
Details

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
  • https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our community forum or community chat - Report other vulnerabilities at report.parseplatform.org

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:52:23Z",
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nParse Server LiveQuery does not remove protected fields in classes, passing them to the client.\n\n### Patches\nThe LiveQueryController now removes protected fields from the client response.\n\n### Workarounds\nUse `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.\n\n### References\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\n- https://github.com/parse-community/parse-server\n\n### For more information\nIf you have any questions or comments about this advisory:\n- For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/)\n- Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)\n",
  "id": "GHSA-crrq-vr9j-fxxh",
  "modified": "2022-07-06T19:52:23Z",
  "published": "2022-07-06T19:52:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/issues/8073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Protected fields exposed via LiveQuery"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.