7.5

CVE-2023-46119

Parse Server may crash when uploading file without extension

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ParseplatformParse-server SwPlatformnode.js Version >= 1.0.0 < 5.5.6
ParseplatformParse-server SwPlatformnode.js Version >= 6.0.0 < 6.3.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.05% 0.599
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe
Patch
https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0
Patch
https://github.com/parse-community/parse-server/releases/tag/5.5.6
Release Notes
https://github.com/parse-community/parse-server/releases/tag/6.3.1
Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579
Vendor Advisory