GHSA-crrq-vr9j-fxxh: Protected fields exposed via LiveQuery

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-31112

Protected fields exposed via LiveQuery

High severity GitHub Reviewed Published Jul 6, 2022 in parse-community/parse-server • Updated Jul 6, 2022

Vulnerability details Dependabot alerts 0

Package

npm parse-server (npm)

Affected versions

< 4.10.13

>= 5.0.0, < 5.2.4

Patched versions

4.10.13

5.2.4

Description

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

• GHSA-crrq-vr9j-fxxh
• https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory:

• For questions or comments about this vulnerability visit our community forum or community chat
• Report other vulnerabilities at report.parseplatform.org

References

• GHSA-crrq-vr9j-fxxh
• https://nvd.nist.gov/vuln/detail/CVE-2022-31112
• parse-community/parse-server#8073
• parse-community/parse-server#8074
• parse-community/parse-server@309f64c
• parse-community/parse-server@9fd4516
• https://github.com/parse-community/parse-server/releases/tag/5.2.4

mtrezza published the maintainer security advisory

Jun 30, 2022

Severity

High

8.2

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Weaknesses

CWE-200

CVE ID

CVE-2022-31112

GHSA ID

GHSA-crrq-vr9j-fxxh

Source code

parse-community/parse-server

Checking history

See something to contribute? Suggest improvements for this vulnerability.