Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 4.10.3 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/308668c89474223e2448be92dPatchThird Party Advisory
- https://github.com/parse-community/parse-server/releases/tag/4.10.3Third Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w8Third Party Advisory
- https://jira.mongodb.org/browse/NODE-3463PatchThird Party Advisory
- https://github.com/parse-community/parse-server/commit/308668c89474223e2448be92dPatchThird Party Advisory
- https://github.com/parse-community/parse-server/releases/tag/4.10.3Third Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w8Third Party Advisory
- https://jira.mongodb.org/browse/NODE-3463PatchThird Party Advisory
FAQ
What is CVE-2021-39187?
CVE-2021-39187 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value ...
How severe is CVE-2021-39187?
CVE-2021-39187 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39187?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.