CVE-2023-41058 – parse-server

Package

Manager: npm
Name: parse-server
Vulnerable Version: >=1.0.0 <5.5.5 || >=6.0.0 <6.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00214 pctl0.43947

Details

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer ### Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the `beforeFind` query trigger which can be an additional vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify an incoming query. ### Patches The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the `beforeFind` trigger. ### Workarounds There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a `beforeFind` trigger is used as a security layer is to instead use the Parse Server provided [security layers](https://docs.parseplatform.org/parse-server/guide/#security) to manage access levels with Class-Level Permissions and Object-Level Access Control. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q - Patched in Parse Server 6.x: https://github.com/parse-community/parse-server/releases/tag/6.2.2 - Patched in Parse Server 5.x (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.5

Metadata

Created: 2023-09-04T22:40:41Z
Modified: 2023-09-04T22:40:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-fcv6-fg5r-jm9q/GHSA-fcv6-fg5r-jm9q.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-fcv6-fg5r-jm9q
Finding: F164
Auto approve: 1