CVE-2023-36475: Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
First published: Wed Jun 28 2023(Updated: )
### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter. ### Workarounds Disable remote code execution through the MongoDB BSON parser. ### Credits - Discovered by hir0ot working with Trend Micro Zero Day Initiative - Fixed by dbythy - Reviewed by mtrezza ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 - https://github.com/advisories/GHSA-prm5-8g2m-24gg
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Parseplatform Parse-server | <5.5.2 | |
| Parseplatform Parse-server | >=6.0.0<6.2.1 |
Remedy
https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
Remedy
https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
- https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
- https://github.com/parse-community/parse-server/issues/8674
- https://github.com/parse-community/parse-server/issues/8675
- https://github.com/parse-community/parse-server/releases/tag/5.5.2
- https://github.com/parse-community/parse-server/releases/tag/6.2.1
- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
- https://nvd.nist.gov/vuln/detail/CVE-2023-36475
- https://github.com/advisories/GHSA-462x-c3jw-7vr6 (Advisory)
Frequently Asked Questions
What is the impact of CVE-2023-36475?
An attacker can use this vulnerability to trigger a remote code execution through the MongoDB BSON parser.
How can I fix CVE-2023-36475?
Apply the patch to prevent prototype pollution in the MongoDB database adapter.
Are there any workarounds to protect against CVE-2023-36475?
Disable remote code execution through the MongoDB BSON parser.
What is the severity of CVE-2023-36475?
The severity of this vulnerability is critical with a CVSS score of 9.8.
Where can I find more information about CVE-2023-36475?
You can find more information about CVE-2023-36475 at the following references: [GitHub Advisory](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-36475), [GitHub Issue](https://github.com/parse-community/parse-server/issues/8674).
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-462x-c3jw-7vr6
- alias/CVE-2023-36475
- collector/github-advisory
- agent/author
- agent/remedy
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/event
- agent/tags
- agent/trending
- vendor/parseplatform
- canonical/parseplatform parse-server
- version/parseplatform parse-server/6.0.0
- package-manager/npm