CVE-2022-36079

EPSS 0.97%
Veröffentlicht 07.09.2022 21:15:08
Zuletzt bearbeitet 21.11.2024 07:12:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 4.10.14

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 5.0.0 < 5.2.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.97%	0.571

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec

Patch

Third Party Advisory

https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4

Patch

Third Party Advisory

https://github.com/parse-community/parse-server/issues/8143

Third Party Advisory

Issue Tracking

https://github.com/parse-community/parse-server/issues/8144

Third Party Advisory

Issue Tracking

https://github.com/parse-community/parse-server/releases/tag/4.10.14

Third Party Advisory

Release Notes

https://github.com/parse-community/parse-server/releases/tag/5.2.5

Third Party Advisory

Release Notes

https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-36079

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36079

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36079

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-36079