What is CVE-2023-22474?

CVE-2023-22474 is a vulnerability in Parse Server that allows a client to set the 'x-forwarded-for' header and determine the client IP address.

What is the severity of CVE-2023-22474?

CVE-2023-22474 has a severity rating of 8.1 (high).

How does CVE-2023-22474 affect Parse Server?

CVE-2023-22474 affects Parse Server versions up to and excluding 5.4.1.

How do I fix CVE-2023-22474?

To fix CVE-2023-22474, update Parse Server to a version equal to or higher than 5.4.1.

Vulnerability/
CVE-2023-22474

high

8.7

CWE

290

3/2/2023

2/8/2024

CVE-2023-22474: Parse Server is vulnerable to authentication bypass via spoofing

Q: Where can I find more information about CVE-2023-22474?

You can find more information about CVE-2023-22474 in the following references: [Reference 1](https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8), [Reference 2](https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x).

First published: Fri Feb 03 2023(Updated: )

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Parse Platform Parse Server	<5.4.1

Remedy

https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-22474?
CVE-2023-22474 is a vulnerability in Parse Server that allows a client to set the 'x-forwarded-for' header and determine the client IP address.
What is the severity of CVE-2023-22474?
CVE-2023-22474 has a severity rating of 8.1 (high).
How does CVE-2023-22474 affect Parse Server?
CVE-2023-22474 affects Parse Server versions up to and excluding 5.4.1.
How do I fix CVE-2023-22474?
To fix CVE-2023-22474, update Parse Server to a version equal to or higher than 5.4.1.
Where can I find more information about CVE-2023-22474?
You can find more information about CVE-2023-22474 in the following references: [Reference 1](https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8), [Reference 2](https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x).

agent/references
agent/type
agent/weakness
agent/severity
agent/title
agent/author
agent/remedy
agent/event
agent/first-publish-date
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
vendor/parseplatform
canonical/parse platform parse server

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.