CVE-2022-36079

{"id": "CVE-2022-36079", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2022-09-07T21:15:08.560", "references": [{"url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/issues/8143", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/issues/8144", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Los campos internos (claves usadas internamente por Parse Server, prefijadas por \"_\") y los campos protegidos (definidos por el usuario) pueden usarse como restricciones de consulta. Los campos internos y protegidos son eliminados por Parse Server y s\u00f3lo se devuelven al cliente usando una llave maestra v\u00e1lida. Sin embargo, usando las restricciones de consulta, estos campos pueden ser adivinados al enumerar hasta que Parse Server, versiones anteriores a 4.10.14 o 5.2.5, devuelva un objeto de respuesta. El parche disponible en versiones 4.10.14 y 5.2.5, requiere que la llave m\u00e1ser use campos internos y protegidos como restricciones de consulta. Como mitigaci\u00f3n, implemente un Parse Cloud Trigger \"beforeFind\" y elimine manualmente las restricciones de consulta"}], "lastModified": "2022-09-12T18:26:02.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "55B47674-02C1-4BE5-B962-AF328A4F99B5", "versionEndExcluding": "4.10.14"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "65395D8C-9056-4F74-B1C4-8CB4723CE12A", "versionEndExcluding": "5.2.5", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}