CVE-2022-31112
HIGH8.2EPSS 0.60%Protected fields exposed via LiveQuery
Description
### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ### Workarounds Use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh - https://github.com/parse-community/parse-server ### For more information If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)
Affected packages (2)
- Bitnami/parsefrom 0, < 4.10.13, >= 5.0.0, < 5.2.4
- npm/parse-serverfrom 0, < 4.10.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31112
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375
- WEBhttps://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
- WEBhttps://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
- WEBhttps://github.com/parse-community/parse-server/issues/8073
- WEBhttps://github.com/parse-community/parse-server/pull/8074
- WEBhttps://github.com/parse-community/parse-server/releases/tag/5.2.4
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh