Trigger `beforeFind` not invoked in internal query pipeline in parse-server
CVE-2023-41058

7.5HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
4 September 2023

What is CVE-2023-41058?

In certain versions of Parse Server, an improper handling of the beforeFind Cloud trigger allows certain queries to bypass security checks. This vulnerability can expose applications that rely on this trigger to control query modifications, potentially leading to unauthorized data access. To mitigate this risk, users should upgrade to versions 5.5.5 or 6.2.2 where this issue has been addressed. For those unable to upgrade, it's recommended to utilize the built-in security features, such as Class-Level Permissions and Object-Level Access Control, instead of relying solely on custom security mechanisms within Cloud Code triggers.

Affected Version(s)

parse-server >= 1.0.0, < 5.5.5 < 1.0.0, 5.5.5

parse-server >= 6.0.0, < 6.2.2 < 6.0.0, 6.2.2

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/commit/be...
x_refsource_MISC
https://docs.parseplatform.org/parse-server/guide/#security
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.