Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Parse Server 信息泄露漏洞
Vulnerability Description
Parse Server是一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 4.10.14之前版本和5.2.5之前版本存在信息泄露漏洞,该漏洞源于使用查询约束,可以通过枚举来猜测这些字段,直到返回响应对象。
CVSS Information
N/A
Vulnerability Type
N/A