CVE-2023-41058

HIGH7.5EPSS 0.27%

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Published: 9/4/2023Modified: 12/6/2023
Also known as:GHSA-fcv6-fg5r-jm9qBIT-parse-2023-41058

Description

### Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the `beforeFind` query trigger which can be an additional vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify an incoming query. ### Patches The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the `beforeFind` trigger. ### Workarounds There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a `beforeFind` trigger is used as a security layer is to instead use the Parse Server provided [security layers](https://docs.parseplatform.org/parse-server/guide/#security) to manage access levels with Class-Level Permissions and Object-Level Access Control. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q - Patched in Parse Server 6.x: https://github.com/parse-community/parse-server/releases/tag/6.2.2 - Patched in Parse Server 5.x (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.5

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (7)