Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

Remediation

References

https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1

https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6

https://github.com/parse-community/parse-server/issues/8073

https://github.com/parse-community/parse-server/pull/8074

https://github.com/parse-community/parse-server/releases/tag/5.2.4

https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh

Related Vulnerabilities

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

CVE-2022-21213 Vulnerability in npm package mout

CVE-2018-1000192 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-39168 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2023-22457 Vulnerability in maven package org.xwiki.contrib:application-ckeditor-plugins

Severity

Critical

Classification

CWE-212 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Tags

Patch Third Party Advisory Issue Tracking Release Notes