Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2m6g-crv8-p3c6: Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Impact

Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

Patches

The patch requires the maser key to use internal and protected fields as query constraints.

Workarounds

Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as:

Parse.Cloud.beforeFind('TestObject', ({ query }) => {
  for (const key in query._where || []) {
    // Repeat logic for protected fields
    if (key.charAt(0) === '_') {
      delete query._where[key];
    }
  }
});

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
ghsa
#vulnerability#nodejs#js#git

Package

npm parse-server (npm)

Affected versions

< 4.10.14

>= 5.0.0, < 5.2.5

Patched versions

4.10.14

5.2.5

Description

Impact

Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

Patches

The patch requires the maser key to use internal and protected fields as query constraints.

Workarounds

Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as:

Parse.Cloud.beforeFind('TestObject’, ({ query }) => { for (const key in query._where || []) { // Repeat logic for protected fields if (key.charAt(0) === ‘_’) { delete query._where[key]; } } });

References

  • GHSA-2m6g-crv8-p3c6

References

  • GHSA-2m6g-crv8-p3c6
  • https://nvd.nist.gov/vuln/detail/CVE-2022-36079
  • parse-community/parse-server#8143
  • parse-community/parse-server#8144
  • parse-community/parse-server@634c44a
  • parse-community/parse-server@e39d51b
  • https://github.com/parse-community/parse-server/releases/tag/4.10.14
  • https://github.com/parse-community/parse-server/releases/tag/5.2.5

mtrezza published the maintainer security advisory

Sep 2, 2022

Severity

High

8.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Weaknesses

CWE-200

CVE ID

CVE-2022-36079

GHSA ID

GHSA-2m6g-crv8-p3c6

Source code

parse-community/parse-server

Credits

  • s00py

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

Parse Server fixes brute-forcing bug that put sensitive user data at risk

Open source project provides push notification functionality for iOS, macOS, Android, and tvOS

CVE-2022-36079: Brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP