CVE-2020-15126: Information disclosure through Viewer query in parse-server
First published: Wed Jul 22 2020(Updated: )
### Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. ### Patches This vulnerability has been patched in Parse Server 4.3.0. ### Workarounds No ### References See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Parseplatform Parse Server | >=3.5.0<4.3.0 | |
| npm/parse-server | >=3.5.0<4.3.0 | 4.3.0 |
Remedy
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
- https://nvd.nist.gov/vuln/detail/CVE-2020-15126
- https://github.com/advisories/GHSA-236h-rqv8-8q73 (Advisory)
Frequently Asked Questions
What is CVE-2020-15126?
CVE-2020-15126 is a vulnerability in parser-server that allows an authenticated user to bypass read security on their User object and linked objects.
What is the impact of CVE-2020-15126?
The impact of CVE-2020-15126 is that an authenticated user can bypass read security on their User object and linked objects.
How can CVE-2020-15126 be fixed?
CVE-2020-15126 has been fixed in Parse Server 4.3.0, so upgrading to this version will fix the vulnerability.
Are there any workarounds for CVE-2020-15126?
No, there are no workarounds for CVE-2020-15126.
Where can I find more information about CVE-2020-15126?
You can find more information about CVE-2020-15126 in the references provided: [GitHub Changelog](https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430), [GitHub Commit](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa), [GitHub Security Advisory](https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-236h-rqv8-8q73
- alias/CVE-2020-15126
- collector/github-advisory
- collector/nvd-cve
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/trending
- vendor/parseplatform
- canonical/parseplatform parse server
- version/parseplatform parse server/3.5.0
- package-manager/npm