CVE-2022-31112: Protected fields exposed via LiveQuery in parse-server
First published: Thu Jun 30 2022(Updated: )
### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ### Workarounds Use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh - https://github.com/parse-community/parse-server ### For more information If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/parse-server | >=5.0.0<5.2.4 | 5.2.4 |
| npm/parse-server | <4.10.13 | 4.10.13 |
| Parseplatform Parse-server | <4.10.13 | |
| Parseplatform Parse-server | >=5.0.0<5.2.4 |
Remedy
https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
Remedy
https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
- https://nvd.nist.gov/vuln/detail/CVE-2022-31112
- https://github.com/parse-community/parse-server/issues/8073
- https://github.com/parse-community/parse-server/pull/8074
- https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
- https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
- https://github.com/parse-community/parse-server/releases/tag/5.2.4
- https://github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375
- https://github.com/advisories/GHSA-crrq-vr9j-fxxh (Advisory)
Frequently Asked Questions
What is CVE-2022-31112?
CVE-2022-31112 is a vulnerability in Parse Server where protected fields in classes are not removed in Parse Server LiveQuery responses.
How does CVE-2022-31112 impact Parse Server?
CVE-2022-31112 allows protected fields in classes to be passed to the client in Parse Server LiveQuery.
What is the severity of CVE-2022-31112?
The severity of CVE-2022-31112 is high, with a CVSS score of 8.2.
How can I fix CVE-2022-31112 in Parse Server?
You can fix CVE-2022-31112 in Parse Server by upgrading to version 5.2.4 or later.
Are there any workarounds for CVE-2022-31112?
Yes, you can use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields as a workaround for CVE-2022-31112.
- collector/github-advisory-latest
- alias/GHSA-crrq-vr9j-fxxh
- alias/CVE-2022-31112
- collector/github-advisory
- collector/nvd-index
- collector/nvd-api
- collector/nvd-cve
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/author
- agent/title
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- package-manager/npm
- vendor/parseplatform
- canonical/parseplatform parse-server
- version/parseplatform parse-server/5.0.0