Page 4 of 29 results (0.013 seconds)

CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-36079 – Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

https://notcve.org/view.php?id=CVE-2022-36079

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. • https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4 https://github.com/parse-community/parse-server/issues/8143 https://github.com/parse-community/parse-server/issues/8144 https://github.com/parse-community/parse-server/releases/tag/4.10.14 https://github.com/parse-community/parse-server/releases/tag/5.2.5 https://github.com/parse-community/parse-server/security/advisories/GHSA • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-31112 – Protected fields exposed via LiveQuery in parse-server

https://notcve.org/view.php?id=CVE-2022-31112

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. • https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 https://github.com/parse-community/parse-server/issues/8073 https://github.com/parse-community/parse-server/pull/8074 https://github.com/parse-community/parse-server/releases/tag/5.2.4 https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-31089 – Invalid file request can crashe parse-server

https://notcve.org/view.php?id=CVE-2022-31089

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. • https://github.com/parse-community/parse-server/commit/5be375dec2fa35425c1003ae81c55995ac72af92 https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9 • CWE-252: Unchecked Return Value CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-31083 – Authentication bypass in Parse Server Apple Game Center auth adapter

https://notcve.org/view.php?id=CVE-2022-31083

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. • https://developer.apple.com/news/?id=stttq465 https://github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1 https://github.com/parse-community/parse-server/pull/8054 https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-24901 – Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

https://notcve.org/view.php?id=CVE-2022-24901

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it. Una comprobación inapropiada de la URL del certificado de Apple en el adaptador de autenticación de Apple Game Center permite a atacantes omitir la autenticación, haciendo que el servidor sea vulnerable a ataques DoS. La vulnerabilidad ha sido corregido al mejorar la cmprobación de la URL y añadiendo comprobaciones adicionales del recurso al que apunta la URL antes de descargarlo • https://github.com/parse-community/parse-server/security/advisories/GHSA-qf8x-vqjv-92gr • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •