CVE-2021-39187

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.3

Description The issue occurs when a query request contains an invalid value for the explain option, causing Parse Server to crash due to a bug in the MongoDB Node.js driver that throws an exception Parse Server cannot catch.

Recommendations For versions prior to 4.10.3, upgrade to Parse Server 4.10.3 to resolve the issue. As a temporary workaround, consider avoiding the use of the explain option in query requests until the patch is applied.

Fix

Improper Handling of Exceptional Conditions

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-755CWE-20CWE-74

Related Identifiers

BIT-PARSE-2021-39187

CVE-2021-39187

GHSA-XQP8-W826-HH6X

Affected Products

Mongodb Node.Js Driver

Parse Server

CVE-2021-39187

Weakness Enumeration

Related Identifiers

Affected Products

References · 10