Parse Server
CVE-2023-41058
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the beforeFind trigger is invoked. This fix was introduced in commit be4c7e23c6 and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.
AnalysisAI
Parse Server is an open source backend server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-670. Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the beforeFind trigger is invoked. This fix was introduced in commit be4c7e23c6 and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers. Affected products include: Parseplatform Parse-Server.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Parse Server
View allParse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all
Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.
parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula
SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today