Add CVE-2022-39396 for GHSA-prm5-8g2m-24gg

2025-05-08 19:46:39 +00:00 · 2022-11-10 00:10:42 +00:00 · 2022-11-10 00:10:42 +00:00 · 76acf1f38f
commit 76acf1f38f
parent b313227051
1 changed files with 74 additions and 6 deletions
--- a/2022/39xxx/CVE-2022-39396.json
+++ b/2022/39xxx/CVE-2022-39396.json
@ -1,18 +1,86 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39396",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "parse-server",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 4.10.18"
+                                        },
+                                        {
+                                            "version_value": ">= 5.0.0, < 5.3.1"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "parse-community"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds."
+            }
+        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.8,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"
                    }
                ]
            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-prm5-8g2m-24gg",
+        "discovery": "UNKNOWN"
+    }
 }