CVE-2022-41878

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

History

15 Nov 2022, 20:00

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx -~~	(CONFIRM) https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx - Third Party Advisory
CWE		CWE-1321
First Time		Parseplatform parse-server Parseplatform
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:parseplatform:parse-server::::::node.js::*

10 Nov 2022, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-10 23:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-41878

Mitre link : CVE-2022-41878

CVE.ORG link : CVE-2022-41878

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2022-41878", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-11-10T23:15:10.740", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. En versiones anteriores a la 5.3.2 o 4.10.19, las palabras clave que se especifican en la opci\u00f3n del servidor Parse `requestKeywordDenylist` se pueden inyectar a trav\u00e9s de activadores o webhooks de Cloud Code. Esto dar\u00e1 como resultado que la palabra clave se guarde en la base de datos, sin pasar por la opci\u00f3n `requestKeywordDenylist`. Este problema se solucion\u00f3 en las versiones 4.10.19 y 5.3.2. Si la actualizaci\u00f3n no es posible, se pueden aplicar workarounds: Configure su firewall para permitir que solo los servidores confiables realicen solicitudes a la API de Webhooks de Parse Server Cloud Code, o bloquee la API por completo si no est\u00e1 utilizando la funci\u00f3n."}], "lastModified": "2022-11-15T20:00:54.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EBA8EB8E-55DA-44A8-86D9-21A8AF357B10", "versionEndExcluding": "4.10.19"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BEB49780-5858-4A23-B766-AEA4369785CC", "versionEndExcluding": "5.3.2", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}