{ "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36079", "STATE": "PUBLIC", "TITLE": "Parse Server vulnerable to brute force guessing of user sensitive data via search patterns" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "parse-server", "version": { "version_data": [ { "version_value": "< 4.10.14" }, { "version_value": ">= 5.0.0, < 5.2.5" } ] } } ] }, "vendor_name": "parse-community" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6", "refsource": "CONFIRM", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6" }, { "name": "https://github.com/parse-community/parse-server/issues/8143", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/issues/8143" }, { "name": "https://github.com/parse-community/parse-server/issues/8144", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/issues/8144" }, { "name": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec" }, { "name": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4" }, { "name": "https://github.com/parse-community/parse-server/releases/tag/4.10.14", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14" }, { "name": "https://github.com/parse-community/parse-server/releases/tag/5.2.5", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5" } ] }, "source": { "advisory": "GHSA-2m6g-crv8-p3c6", "discovery": "UNKNOWN" } }