Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed.
The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 17
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
— |
8.6.70
|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
9.0.0
|
9.7.0
|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha12:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha13:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha14:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha15:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
|
— | — |
References 5
https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f0…
security-advisories@github.com
https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1b…
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10350
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10351
security-advisories@github.com
https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-8…
security-advisories@github.com