Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
CVE-2022-36079

8.6HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
7 September 2022

What is CVE-2022-36079?

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger beforeFind and manually remove the query constraints.

Affected Version(s)

parse-server < 4.10.14 < 4.10.14

parse-server >= 5.0.0, < 5.2.5 < 5.0.0, 5.2.5

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/issues/8143
x_refsource_MISC
https://github.com/parse-community/parse-server/issues/8144
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.