PT-2022-20537 · Unknown · Parse Server
Mtrezza
·
Published
2022-06-30
·
Updated
2024-03-06
·
CVE-2022-31112
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Parse Server (affected versions not specified)
Description
The issue concerns Parse Server LiveQuery, which in affected versions does not remove protected fields in classes, passing them to the client. This has been addressed by the LiveQueryController, which now removes protected fields from the client response. Users are advised to upgrade to resolve the issue. For those unable to upgrade, using
Parse.Cloud.afterLiveQueryEvent to manually remove protected fields is recommended as a workaround.Recommendations
To resolve the issue, users should upgrade to a version where the LiveQueryController removes protected fields from the client response.
As a temporary workaround, consider using
Parse.Cloud.afterLiveQueryEvent to manually remove protected fields until a patch is applied.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Parse Server