CVE-2023-36475 - OpenCVE

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

No data.

References

Link	Providers
https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
https://github.com/parse-community/parse-server/issues/8674
https://github.com/parse-community/parse-server/issues/8675
https://github.com/parse-community/parse-server/releases/tag/5.5.2
https://github.com/parse-community/parse-server/releases/tag/6.2.1
https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-28T22:32:10.081Z

Updated: 2024-08-02T16:45:57.041Z

Reserved: 2023-06-21T18:50:41.703Z

Link: CVE-2023-36475

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-06-28T23:15:21.140

Modified: 2023-07-06T17:09:13.360

Link: CVE-2023-36475

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-21T18:50:41.703Z", "datePublished": "2023-06-28T22:32:10.081Z", "dateUpdated": "2024-08-02T16:45:57.041Z"}, "containers": {"cna": {"title": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 5.5.2", "status": "affected"}, {"version": ">= 6.0.0, < 6.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-28T22:32:10.081Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."}], "source": {"advisory": "GHSA-462x-c3jw-7vr6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.041Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8059544D-58C9-4AA3-8ABF-C29439C1EF8E", "versionEndExcluding": "5.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "505FD02D-F6D9-4B39-B963-03604E91D129", "versionEndExcluding": "6.2.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 5.5.2 y 6.2.1, un atacante puede utilizar un prototipo de \"pollution sink\" para desencadenar una ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s del analizador BSON de MongoDB. Hay un parche disponible en las versiones 5.5.2 y 6.2.1. "}], "id": "CVE-2023-36475", "lastModified": "2023-07-06T17:09:13.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-06-28T23:15:21.140", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}