Описание
Protected fields exposed via LiveQuery
Impact
Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.
Patches
The LiveQueryController now removes protected fields from the client response.
Workarounds
Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
- https://github.com/parse-community/parse-server
For more information
If you have any questions or comments about this advisory:
- For questions or comments about this vulnerability visit our community forum or community chat
- Report other vulnerabilities at report.parseplatform.org
Ссылки
- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
- https://nvd.nist.gov/vuln/detail/CVE-2022-31112
- https://github.com/parse-community/parse-server/issues/8073
- https://github.com/parse-community/parse-server/pull/8074
- https://github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375
- https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
- https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
- https://github.com/parse-community/parse-server/releases/tag/5.2.4
Пакеты
parse-server
< 4.10.13
4.10.13
parse-server
>= 5.0.0, < 5.2.4
5.2.4
Связанные уязвимости
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.