BIT-parse-2022-31112

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2022-31112.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-parse-2022-31112
Aliases
Published
2024-03-06T11:02:26.390Z
Modified
2025-05-20T10:02:07.006Z
Summary
Protected fields exposed via LiveQuery in parse-server
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

Database specific
{
    "cpes": [
        "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / parse

Package

Name
parse
Purl
pkg:bitnami/parse

Severity

  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.10.13
Introduced
5.0.0
Fixed
5.2.4