PT-2022-24955 · Unknown+2 · Parse Server+2
Cristian-Alexandru Staicu
+2
·
Published
2022-11-08
·
Updated
2024-03-06
·
CVE-2022-39396
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 4.10.18
Parse Server versions prior to 5.3.1 on the 5.X branch
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18.
Recommendations
For versions prior to 4.10.18, update to version 4.10.18 or later.
For versions prior to 5.3.1 on the 5.X branch, update to version 5.3.1 or later.
As a temporary workaround, consider disabling remote code execution through the MongoDB BSON parser until a patch is available.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb
Node.Js
Parse Server