First published: Sat Mar 12 2022(Updated: )
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Parseplatform Parse-server | <4.10.7 | |
Canonical Ubuntu Linux | ||
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24760 is a Remote Code Execution (RCE) vulnerability in Parse Server prior to version 4.10.7.
CVE-2022-24760 affects Parse Server in the default configuration with MongoDB.
CVE-2022-24760 has a severity rating of 10 (Critical).
To fix CVE-2022-24760, upgrade to Parse Server version 4.10.7 or later.
Yes, you can find references for CVE-2022-24760 at the following links: [Link 1](https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d), [Link 2](https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm), [Link 3](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/).