GHSA-crrq-vr9j-fxxh

Suggest an improvement
Source
https://github.com/advisories/GHSA-crrq-vr9j-fxxh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-crrq-vr9j-fxxh/GHSA-crrq-vr9j-fxxh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-crrq-vr9j-fxxh
Aliases
Related
Published
2022-07-06T19:52:23Z
Modified
2023-12-06T01:02:18.617929Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Protected fields exposed via LiveQuery
Details

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
  • https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our community forum or community chat - Report other vulnerabilities at report.parseplatform.org

Database specific
{
    "github_reviewed_at": "2022-07-06T19:52:23Z",
    "github_reviewed": true,
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-212"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / parse-server

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.10.13

npm / parse-server

Package

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.2.4