Protected fields exposed via LiveQuery in parse-server
CVE-2022-31112

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
30 June 2022

What is CVE-2022-31112?

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

Affected Version(s)

parse-server < 4.10.13 < 4.10.13

parse-server >= 5.0.0, < 5.2.4 < 5.0.0, 5.2.4

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/issues/8073
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/8074
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.