Vulnerability Details : CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.
Vulnerability category: Information leak
Products affected by CVE-2022-31112
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31112
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
3.9
|
4.2
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
3.9
|
4.2
|
GitHub, Inc. |
CWE ids for CVE-2022-31112
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31112
-
https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [sk… · parse-community/parse-server@9fd4516 · GitHubPatch;Third Party Advisory
-
https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
Protected fields exposed via LiveQuery · Advisory · parse-community/parse-server · GitHubThird Party Advisory
-
https://github.com/parse-community/parse-server/pull/8074
fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) by mtrezza · Pull Request #8074 · parse-community/parse-server · GitHubPatch;Release Notes;Third Party Advisory
-
https://github.com/parse-community/parse-server/releases/tag/5.2.4
Release 5.2.4 · parse-community/parse-server · GitHubRelease Notes;Third Party Advisory
-
https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
fix: protected fields exposed via LiveQuery; this removes protected f… · parse-community/parse-server@309f64c · GitHubPatch;Third Party Advisory
-
https://github.com/parse-community/parse-server/issues/8073
fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) by mtrezza · Pull Request #8073 · parse-community/parse-server · GitHubIssue Tracking;Patch;Release Notes;Third Party Advisory
Jump to