PT-2020-14206 · Parse · Parse Server

Moumouls

Published

2020-02-05

Updated

2020-07-28

CVE-2020-15126

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions parser-server versions 3.5.0 through 4.2.x

Description The issue allows an authenticated user using the viewer GraphQL query to bypass all read security on their User object and on objects linked via relation or Pointer on their User object. This vulnerability has been patched in Parse Server 4.3.0.

Recommendations For parser-server versions 3.5.0 through 4.2.x, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the viewer GraphQL query until the patch is applied.

Fix

Incorrect Authorization

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-367

Related Identifiers

BDU:2020-01161

CVE-2020-15126

GHSA-236H-RQV8-8Q73

Affected Products

Parse Server

PT-2020-14206 · Parse · Parse Server

CVE-2020-15126

Weakness Enumeration

Related Identifiers

Affected Products

References · 8