Описание
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Ссылки
- ProductRelease Notes
- ProductRelease Notes
- MitigationPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 8.6.16 (исключая)Версия от 9.0.0 (включая) до 9.5.2 (исключая)
Одно из
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
EPSS
Процентиль: 4%
0.00017
Низкий
7.5 High
CVSS3
Дефекты
CWE-863
Связанные уязвимости
github
около 1 месяца назад
Parse Server has a bypass of class-level permissions in LiveQuery
EPSS
Процентиль: 4%
0.00017
Низкий
7.5 High
CVSS3
Дефекты
CWE-863