CVE-2022-31112

EPSS 1.01%
Veröffentlicht 30.06.2022 17:15:07
Zuletzt bearbeitet 21.11.2024 07:03:55
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Protected fields exposed via LiveQuery in parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 9

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 4.10.13

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 5.0.0 < 5.2.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.01%	0.585

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1

Patch

Third Party Advisory

https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6

Patch

Third Party Advisory

https://github.com/parse-community/parse-server/issues/8073

Patch

Third Party Advisory

Release Notes

Issue Tracking

https://github.com/parse-community/parse-server/pull/8074

Patch

Third Party Advisory

Release Notes

https://github.com/parse-community/parse-server/releases/tag/5.2.4

Third Party Advisory

Release Notes

https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31112

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31112

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31112

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-31112