Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05M3Z3LThmbTUtcDJqZs4AAv0A
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
Impact
A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.
Patches
Improved keyword detection.
Workarounds
None.
Collaborators
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
References
Permalink: https://github.com/advisories/GHSA-93vw-8fm5-p2jfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05M3Z3LThmbTUtcDJqZs4AAv0A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-93vw-8fm5-p2jf, CVE-2022-41879
References:
- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
- https://github.com/parse-community/parse-server/pull/8305
- https://github.com/parse-community/parse-server/pull/8306
- https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8
- https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4
- https://github.com/parse-community/parse-server/releases/tag/4.10.20
- https://github.com/parse-community/parse-server/releases/tag/5.3.3
- https://nvd.nist.gov/vuln/detail/CVE-2022-41879
- https://github.com/advisories/GHSA-93vw-8fm5-p2jf
Blast Radius: 22.2
Affected Packages
npm:parse-server
Dependent packages: 122Dependent repositories: 1,211
Downloads: 107,678 last month
Affected Version Ranges: >= 5.0.0, < 5.3.3, < 4.10.20
Fixed in: 5.3.3, 4.10.20
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 4.10.19, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2
All unaffected versions: 4.10.20, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 7.0.0