CVE-2023-41058

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-41058
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://docs.parseplatform.org/parse-server/guide/#security Product
https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5 Patch
https://github.com/parse-community/parse-server/releases/tag/5.5.5 Release Notes
https://github.com/parse-community/parse-server/releases/tag/6.2.2 Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
History

08 Sep 2023, 17:17

Type Values Removed Values Added
CPE cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References (MISC) https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5 - (MISC) https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5 - Patch
References (MISC) https://github.com/parse-community/parse-server/releases/tag/6.2.2 - (MISC) https://github.com/parse-community/parse-server/releases/tag/6.2.2 - Release Notes
References (MISC) https://docs.parseplatform.org/parse-server/guide/#security - (MISC) https://docs.parseplatform.org/parse-server/guide/#security - Product
References (MISC) https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q - (MISC) https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q - Mitigation, Vendor Advisory
References (MISC) https://github.com/parse-community/parse-server/releases/tag/5.5.5 - (MISC) https://github.com/parse-community/parse-server/releases/tag/5.5.5 - Release Notes
First Time Parseplatform parse-server
Parseplatform

04 Sep 2023, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-09-04 23:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-41058

Mitre link : CVE-2023-41058

CVE.ORG link : CVE-2023-41058

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-670

Always-Incorrect Control Flow Implementation


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024