CVE-2022-39396

CRITICAL9.8EPSS 11.0%

Remote code execution via MongoDB BSON parser through prototype pollution

Published: 11/8/2022Modified: 12/6/2023

Also known as:GHSA-prm5-8g2m-24ggBIT-parse-2022-39396

Description

### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter. ### Workarounds Disable remote code execution through the MongoDB BSON parser. ### Collaborators Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg

Affected packages (2)

Bitnami/parsefrom 0, < 4.10.18, >= 5.0.0, < 5.3.1
npm/parse-serverfrom 0, < 4.10.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39396
PATCHhttps://github.com/parse-community/parse-server
WEBhttps://github.com/parse-community/parse-server/pull/8295
WEBhttps://github.com/parse-community/parse-server/pull/8296
WEBhttps://github.com/parse-community/parse-server/releases/tag/4.10.18
WEBhttps://github.com/parse-community/parse-server/releases/tag/5.3.1
WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg