CVE-2022-24760

Command Injection in Parse server

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

Parse Server es un backend de servidor web http de código abierto. En versiones anteriores a 4.10.7, se presenta una vulnerabilidad de Ejecución de Código Remota (RCE) en Parse Server. Esta vulnerabilidad afecta a Parse Server en la configuración por defecto con MongoDB. La principal debilidad que conlleva a RCE es el código vulnerable Prototype Pollution en el archivo "DatabaseController.js", por lo que es probable que afecte también a Postgres y a cualquier otro backend de base de datos. Esta vulnerabilidad ha sido confirmada en Linux (Ubuntu) y Windows. Es recomendado a usuarios actualizar lo antes posible. La única medida de mitigación conocida es parchear manualmente su instalación con el código referenciado en la fuente GHSA-p6h4-93qp-jhcm

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-11 CVE Published
2022-03-31 First Exploit
2024-08-03 CVE Updated
2024-11-24 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://github.com/tuo4n8/CVE-2022-24760	2022-03-31
https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm	2024-08-03
https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099	2024-08-03

URL	Date	SRC
https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d	2022-07-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parseplatform Search vendor "Parseplatform"	Parse-server Search vendor "Parseplatform" for product "Parse-server"	< 4.10.7 Search vendor "Parseplatform" for product "Parse-server" and version " < 4.10.7"	node.js	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	-	-	Safe
Parseplatform Search vendor "Parseplatform"	Parse-server Search vendor "Parseplatform" for product "Parse-server"	< 4.10.7 Search vendor "Parseplatform" for product "Parse-server" and version " < 4.10.7"	node.js	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe