CVE-2022-36079
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.
Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Los campos internos (claves usadas internamente por Parse Server, prefijadas por "_") y los campos protegidos (definidos por el usuario) pueden usarse como restricciones de consulta. Los campos internos y protegidos son eliminados por Parse Server y sólo se devuelven al cliente usando una llave maestra válida. Sin embargo, usando las restricciones de consulta, estos campos pueden ser adivinados al enumerar hasta que Parse Server, versiones anteriores a 4.10.14 o 5.2.5, devuelva un objeto de respuesta. El parche disponible en versiones 4.10.14 y 5.2.5, requiere que la llave máser use campos internos y protegidos como restricciones de consulta. Como mitigación, implemente un Parse Cloud Trigger "beforeFind" y elimine manualmente las restricciones de consulta
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-09-07 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/parse-community/parse-server/issues/8143 | Issue Tracking | |
| https://github.com/parse-community/parse-server/issues/8144 | Issue Tracking | |
| https://github.com/parse-community/parse-server/releases/tag/4.10.14 | Release Notes | |
| https://github.com/parse-community/parse-server/releases/tag/5.2.5 | Release Notes | |
| https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Parseplatform Search vendor "Parseplatform" | Parse-server Search vendor "Parseplatform" for product "Parse-server" | < 4.10.14 Search vendor "Parseplatform" for product "Parse-server" and version " < 4.10.14" | node.js |
Affected
| ||||||
| Parseplatform Search vendor "Parseplatform" | Parse-server Search vendor "Parseplatform" for product "Parse-server" | >= 5.0.0 < 5.2.5 Search vendor "Parseplatform" for product "Parse-server" and version " >= 5.0.0 < 5.2.5" | node.js |
Affected
| ||||||