CVE-2023-32688 — Invalid push request payload crashes Parse Server

描述

### Impact The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. ### Patches Invalid push notification payload is caught and an logged. ### Workarounds n/a ### References - https://github.com/parse-community/parse-server-push-adapter/security/advisories/GHSA-mxhg-rvwx-x993 - https://github.com/parse-community/parse-server-push-adapter/pull/217

如何修補 CVE-2023-32688

要修補 CVE-2023-32688,請將受影響套件升級到下列已修補版本。

—升級至 4.1.3 或更新版本

CVE-2023-32688 正在被利用嗎?

低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 4.1.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-32688
PATCHgithub.com/parse-community/parse-server-push-adapter
WEBgithub.com/parse-community/parse-server-push-adapter/commit/598cb84d0866b7c5850ca96af920e8cb5ba243ec
WEBgithub.com/parse-community/parse-server-push-adapter/pull/217