BIT-parse-2024-47183
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2024-47183.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-parse-2024-47183
- Aliases
- Published
- 2024-10-08T07:14:06.158Z
- Modified
- 2024-10-08T08:12:09.784629Z
- Summary
- [none]
- Details
-
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
- Database specific
{ "cpes": [ "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*" ], "severity": "High" }- References
-
- https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc
- https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f
- https://github.com/parse-community/parse-server/pull/9317
- https://github.com/parse-community/parse-server/pull/9318
- https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg
Affected packages
Bitnami / parse
Package
- Name
- parse
- Purl
- pkg:bitnami/parse
Severity
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator