CVE-2022-31112

 

Published at: - 30-06-2022 07:15

Last modified: - 11-07-2022 07:16

Total changes: - 3

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

 

Verification logic

 

Reference

• https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
• https://github.com/parse-community/parse-server/releases/tag/5.2.4
• https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
• https://github.com/parse-community/parse-server/pull/8074
• https://github.com/parse-community/parse-server/issues/8073
• https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6

 

Keywords

NVD

 

CVE-2022-31112

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures