high
8.6
CWE
200
Advisory Published
Updated

CVE-2022-36079: Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

First published: Wed Sep 07 2022(Updated: )

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Parseplatform Parse-server<4.10.14
Parseplatform Parse-server>=5.0.0<5.2.5

Remedy

https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec

Remedy

https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-36079?

    CVE-2022-36079 is a vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js.

  • How does CVE-2022-36079 affect Parse Server?

    CVE-2022-36079 allows an attacker to use internal and protected fields as query constraints in Parse Server, potentially causing unauthorized data access.

  • What software versions are affected by CVE-2022-36079?

    Parse Server versions up to 4.10.14 and versions between 5.0.0 and 5.2.5 are affected by CVE-2022-36079.

  • What is the severity of CVE-2022-36079?

    CVE-2022-36079 has a severity rating of 7.5 (high).

  • How can I fix CVE-2022-36079?

    To fix CVE-2022-36079, update Parse Server to a version higher than 5.2.5 or apply the fixes mentioned in the provided GitHub commits.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203