Access Restriction Bypass

Affecting parse-server package, versions >=3.5.0 <4.3.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Access Restriction Bypass. An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Remediation

Upgrade parse-server to version 4.3.0 or higher.

References

CVSS Score

4.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2020-15126
CWE
CWE-284
Snyk ID
SNYK-JS-PARSESERVER-590063
Disclosed
23 Jul, 2020
Published
23 Jul, 2020