Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cHJ2LXd2aDctcXFxeM4AAvxw
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
Impact
Keywords that are specified in the Parse Server option requestKeywordDenylist
can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist
option.
Patches
Improved keyword detection.
Workarounds
Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.
Collaborators
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
References Permalink: https://github.com/advisories/GHSA-xprv-wvh7-qqqx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cHJ2LXd2aDctcXFxeM4AAvxw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-xprv-wvh7-qqqx, CVE-2022-41878
References:
- https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
- https://github.com/parse-community/parse-server/pull/8301
- https://github.com/parse-community/parse-server/pull/8302
- https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3
- https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f
- https://nvd.nist.gov/vuln/detail/CVE-2022-41878
- https://github.com/advisories/GHSA-xprv-wvh7-qqqx
Blast Radius: 22.2
Affected Packages
npm:parse-server
Dependent packages: 122Dependent repositories: 1,211
Downloads: 111,212 last month
Affected Version Ranges: >= 5.0.0, < 5.3.2, < 4.10.19
Fixed in: 5.3.2, 4.10.19
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1
All unaffected versions: 4.10.19, 4.10.20, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 7.0.0