Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-prm5-8g2m-24gg: Remote code execution via MongoDB BSON parser through prototype pollution

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg
ghsa
#vulnerability#nodejs#git#rce#zero_day#mongo

Package

npm parse-server (npm)

Affected versions

< 4.10.18

>= 5.0.0, < 5.3.1

Patched versions

4.10.18

5.3.1

Description

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

References

  • GHSA-prm5-8g2m-24gg

References

  • GHSA-prm5-8g2m-24gg
  • parse-community/parse-server#8295
  • parse-community/parse-server#8296
  • https://github.com/parse-community/parse-server/releases/tag/4.10.18
  • https://github.com/parse-community/parse-server/releases/tag/5.3.1

mtrezza published the maintainer security advisory

Nov 8, 2022

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-prm5-8g2m-24gg

Source code

parse-community/parse-server

Checking history

See something to contribute? Suggest improvements for this vulnerability.

ghsa: Latest News

GHSA-486g-47cc-8wxf: aiocpa contains credential harvesting code