Vulnerability Description
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 4.10.7 |
| Canonical | Ubuntu Linux | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb5PatchThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93ExploitMitigationThird Party Advisory
- https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/ExploitPatchThird Party Advisory
- https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb5PatchThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93ExploitMitigationThird Party Advisory
- https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-24760?
CVE-2022-24760 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the...
How severe is CVE-2022-24760?
CVE-2022-24760 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-24760?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server, Canonical Ubuntu Linux, Microsoft Windows.