CVE-2023-36475
CRITICAL9.8EPSS 9.8%Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Published: 6/30/2023Modified: 12/6/2023
Description
### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter. ### Workarounds Disable remote code execution through the MongoDB BSON parser. ### Credits - Discovered by hir0ot working with Trend Micro Zero Day Initiative - Fixed by dbythy - Reviewed by mtrezza ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 - https://github.com/advisories/GHSA-prm5-8g2m-24gg
Affected packages (2)
- Bitnami/parsefrom 0, < 5.5.2, >= 6.0.0, < 6.2.1
- npm/parse-serverfrom 0, < 5.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-36475
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
- WEBhttps://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
- WEBhttps://github.com/parse-community/parse-server/issues/8674
- WEBhttps://github.com/parse-community/parse-server/issues/8675
- WEBhttps://github.com/parse-community/parse-server/releases/tag/5.5.2
- WEBhttps://github.com/parse-community/parse-server/releases/tag/6.2.1
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6