Executive Summary

Informations
Name CVE-2023-41058 First vendor Publication 2023-09-04
Vendor Cve Last vendor Modification 2023-09-08

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Overall CVSS Score 7.5
Base Score 7.5 Environmental Score 7.5
impact SubScore 3.6 Temporal Score 7.5
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact None Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41058

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-670 Always-Incorrect Control Flow Implementation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Sources (Detail)

Source Url
MISC https://docs.parseplatform.org/parse-server/guide/#security
https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb6906856...
https://github.com/parse-community/parse-server/releases/tag/5.5.5
https://github.com/parse-community/parse-server/releases/tag/6.2.2
https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6...

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2023-09-08 21:27:24
  • Multiple Updates
2023-09-05 13:27:32
  • Multiple Updates
2023-09-05 05:27:19
  • First insertion