Description

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

Remediation

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73

https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430

https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa

Related Vulnerabilities

CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.binding.sonos

CVE-2022-31069 Vulnerability in npm package @finastra/nestjs-proxy

CVE-2022-21222 Vulnerability in maven package org.webjars.npm:css-what

CVE-2021-26707 Vulnerability in maven package org.webjars.npm:merge-deep

CVE-2019-25102 Vulnerability in npm package simple-markdown

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Release Notes Patch