GHSA-crrq-vr9j-fxxh

Source

https://github.com/advisories/GHSA-crrq-vr9j-fxxh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-crrq-vr9j-fxxh/GHSA-crrq-vr9j-fxxh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-crrq-vr9j-fxxh

Aliases

Related

CVE-2022-31112

Published

2022-07-06T19:52:23Z

Modified

2023-12-06T01:02:18.617929Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Protected fields exposed via LiveQuery

Details

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our community forum or community chat - Report other vulnerabilities at report.parseplatform.org

Database specific

{
    "github_reviewed_at": "2022-07-06T19:52:23Z",
    "github_reviewed": true,
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-212"
    ],
    "severity": "HIGH"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.10.13