CVE-2020-5251: Information disclosure in parse-server
First published: Wed Mar 04 2020(Updated: )
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Parseplatform Parse-server | <4.1.0 |
Remedy
https://github.com/parse-community/parse-server/commit/3a3a5eee5ffa48da1352423312cb767de14de269
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5251?
CVE-2020-5251 is a vulnerability in parser-server before version 4.1.0 that allows an attacker to fetch all user objects using a regex in the NoSQL query.
How can an attacker exploit CVE-2020-5251?
An attacker can exploit CVE-2020-5251 by using a regex on the sessionToken to find valid accounts.
What is the severity of CVE-2020-5251?
CVE-2020-5251 has a severity rating of 5.3 (High).
What software versions are affected by CVE-2020-5251?
Versions of parse-server up to and excluding 4.1.0 are affected by CVE-2020-5251.
How do I fix CVE-2020-5251?
To fix CVE-2020-5251, upgrade to version 4.1.0 or later of parse-server.
- collector/nvd-index
- agent/references
- agent/type
- agent/weakness
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/parseplatform
- canonical/parseplatform parse-server