CVE-2022-36079— Parse Server 信息泄露漏洞

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

信息暴露

Parse Server 信息泄露漏洞

Parse Server是一个开源后端，可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 4.10.14之前版本和5.2.5之前版本存在信息泄露漏洞，该漏洞源于使用查询约束，可以通过枚举来猜测这些字段，直到返回响应对象。

N/A

N/A