GHSA-93vw-8fm5-p2jf

Source

https://github.com/advisories/GHSA-93vw-8fm5-p2jf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-93vw-8fm5-p2jf/GHSA-93vw-8fm5-p2jf.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-93vw-8fm5-p2jf

Aliases

Published

2022-11-10T13:02:35Z

Modified

2023-12-06T00:47:35.374582Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Details

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T13:02:35Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "nvd_published_at": "2022-11-10T21:15:00Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.10.20