Add CVE-2022-31112 for GHSA-crrq-vr9j-fxxh

Add CVE-2022-31112 for GHSA-crrq-vr9j-fxxh
This commit is contained in:
advisory-database[bot] 2022-06-30 16:37:12 +00:00 committed by GitHub
parent 846a8bcc7a
commit db7ce41784
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,18 +1,111 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31112",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Protected fields exposed via LiveQuery in parse-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "parse-server",
"version": {
"version_data": [
{
"version_value": "< 4.10.13"
},
{
"version_value": ">= 5.0.0, < 5.2.4"
}
]
}
}
]
},
"vendor_name": "parse-community"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh",
"refsource": "CONFIRM",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
},
{
"name": "https://github.com/parse-community/parse-server/issues/8073",
"refsource": "MISC",
"url": "https://github.com/parse-community/parse-server/issues/8073"
},
{
"name": "https://github.com/parse-community/parse-server/pull/8074",
"refsource": "MISC",
"url": "https://github.com/parse-community/parse-server/pull/8074"
},
{
"name": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1",
"refsource": "MISC",
"url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
},
{
"name": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6",
"refsource": "MISC",
"url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/5.2.4",
"refsource": "MISC",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
}
]
},
"source": {
"advisory": "GHSA-crrq-vr9j-fxxh",
"discovery": "UNKNOWN"
}
}