CVE-2022-36079 - OpenCVE

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

No data.

References

Link	Providers
https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec
https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4
https://github.com/parse-community/parse-server/issues/8143
https://github.com/parse-community/parse-server/issues/8144
https://github.com/parse-community/parse-server/releases/tag/4.10.14
https://github.com/parse-community/parse-server/releases/tag/5.2.5
https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-07T20:40:13

Updated: 2024-08-03T09:52:00.466Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36079

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-07T21:15:08.560

Modified: 2022-09-12T18:26:02.063

Link: CVE-2022-36079

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "parse-server", "vendor": "parse-community", "versions": [{"status": "affected", "version": "< 4.10.14"}, {"status": "affected", "version": ">= 5.0.0, < 5.2.5"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-07T20:40:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8143"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8144"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5"}], "source": {"advisory": "GHSA-2m6g-crv8-p3c6", "discovery": "UNKNOWN"}, "title": "Parse Server vulnerable to brute force guessing of user sensitive data via search patterns", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36079", "STATE": "PUBLIC", "TITLE": "Parse Server vulnerable to brute force guessing of user sensitive data via search patterns"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "parse-server", "version": {"version_data": [{"version_value": "< 4.10.14"}, {"version_value": ">= 5.0.0, < 5.2.5"}]}}]}, "vendor_name": "parse-community"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6", "refsource": "CONFIRM", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6"}, {"name": "https://github.com/parse-community/parse-server/issues/8143", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/issues/8143"}, {"name": "https://github.com/parse-community/parse-server/issues/8144", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/issues/8144"}, {"name": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec"}, {"name": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/4.10.14", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.2.5", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5"}]}, "source": {"advisory": "GHSA-2m6g-crv8-p3c6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.466Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8143"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8144"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36079", "datePublished": "2022-09-07T20:40:13", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.466Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "55B47674-02C1-4BE5-B962-AF328A4F99B5", "versionEndExcluding": "4.10.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "65395D8C-9056-4F74-B1C4-8CB4723CE12A", "versionEndExcluding": "5.2.5", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Los campos internos (claves usadas internamente por Parse Server, prefijadas por \"_\") y los campos protegidos (definidos por el usuario) pueden usarse como restricciones de consulta. Los campos internos y protegidos son eliminados por Parse Server y s\u00f3lo se devuelven al cliente usando una llave maestra v\u00e1lida. Sin embargo, usando las restricciones de consulta, estos campos pueden ser adivinados al enumerar hasta que Parse Server, versiones anteriores a 4.10.14 o 5.2.5, devuelva un objeto de respuesta. El parche disponible en versiones 4.10.14 y 5.2.5, requiere que la llave m\u00e1ser use campos internos y protegidos como restricciones de consulta. Como mitigaci\u00f3n, implemente un Parse Cloud Trigger \"beforeFind\" y elimine manualmente las restricciones de consulta"}], "id": "CVE-2022-36079", "lastModified": "2022-09-12T18:26:02.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-07T21:15:08.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/issues/8143"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/issues/8144"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.14"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.5"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}