CVE-2020-15126

Опубликовано: 22 июл. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

Ссылки

https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
Release Notes
Third Party Advisory
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
Patch
Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
Third Party Advisory
https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
Release Notes
Third Party Advisory
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
Patch
Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*

Версия от 3.5.0 (включая) до 4.3.0 (исключая)

EPSS

Процентиль: 63%

0.00461

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-863

Связанные уязвимости

GHSA-236h-rqv8-8q73

CVSS3: 6.5

github

около 5 лет назад

GraphQL: Security breach on Viewer query

BDU:2020-01161

CVSS3: 3.1

fstec

больше 5 лет назад

Уязвимость драйвера Wi-Fi чипсетов Broadcom, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации