CVE Vulnerability

CVE-2022-31112

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 Patch Third Party Advisory
https://github.com/parse-community/parse-server/releases/tag/5.2.4 Release Notes Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh Third Party Advisory
https://github.com/parse-community/parse-server/pull/8074 Patch Release Notes
https://github.com/parse-community/parse-server/issues/8073 Issue Tracking Patch
https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Information

Published : 2022-06-30 05:15

Updated : 2022-07-11 05:16

NVD link : CVE-2022-31112

Mitre link : CVE-2022-31112

Products Affected
No products.
CWE
CWE-200