GHSA-462x-c3jw-7vr6

Source

https://github.com/advisories/GHSA-462x-c3jw-7vr6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-462x-c3jw-7vr6/GHSA-462x-c3jw-7vr6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-462x-c3jw-7vr6

Aliases

Published

2023-06-30T20:41:43Z

Modified

2023-12-06T00:48:03.959289Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Details

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Credits

Discovered by hir0ot working with Trend Micro Zero Day Initiative
Fixed by dbythy
Reviewed by mtrezza

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
https://github.com/advisories/GHSA-prm5-8g2m-24gg

Database specific

{
    "nvd_published_at": "2023-06-28T23:15:21Z",
    "github_reviewed_at": "2023-06-30T20:41:43Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1321"
    ]
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.5.2