GHSA-236h-rqv8-8q73

Опубликовано: 22 июл. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

GraphQL: Security breach on Viewer query

Impact

An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Patches

This vulnerability has been patched in Parse Server 4.3.0.

Workarounds

References

See commit 78239ac for details.

Ссылки

Пакеты

Наименование

parse-server

npm

Затронутые версииВерсия исправления

>= 3.5.0, < 4.3.0

4.3.0

EPSS

Процентиль: 63%

0.00461

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2020-15126

Дефекты

CWE-863

Связанные уязвимости

CVE-2020-15126

CVSS3: 6.5

nvd

около 5 лет назад

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

BDU:2020-01161

CVSS3: 3.1

fstec

больше 5 лет назад

Уязвимость драйвера Wi-Fi чипсетов Broadcom, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 63%

0.00461

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2020-15126

Дефекты

CWE-863