CVE-2019-1020012 – parse-server

Package

Manager: npm
Name: parse-server
Vulnerable Version: >=0 <3.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00334 pctl0.5564

Details

Parse Server before v3.4.1 vulnerable to Denial of Service ### Impact If a POST request is made to /parse/classes/_Audience (or other volatile class), any subsuquent POST requests result in an internal server error (500). ### Patches Afflicted installations will also have to remove the offending collection from their database. Yes, patched in 3.4.1 ### Workarounds Yes, user can apply: https://github.com/parse-community/parse-server/commit/8709daf698ea69b59268cb66f0f7cee75b52daa5 ### References Nothing other than this advisory at this time ### For more information If you have any questions or comments about this advisory: * Open an issue in [parse-server](https://github.com/parse-community/parse-server) * Email us at [security@parseplatform.org](mailto:security@parseplatform.org)

Metadata

Created: 2019-06-13T16:22:13Z
Modified: 2022-09-13T22:16:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-2479-qvv7-47qq/GHSA-2479-qvv7-47qq.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-2479-qvv7-47qq
Finding: F110
Auto approve: 1