CRITICAL 9.8 npm
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
GHSA-462x-c3jw-7vr6 · BIT-parse-2023-36475 · CVE-2023-36475
Published · Modified
Description
Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
Patches
Prevent prototype pollution in MongoDB database adapter.
Workarounds
Disable remote code execution through the MongoDB BSON parser.
Credits
- Discovered by hir0ot working with Trend Micro Zero Day Initiative
- Fixed by dbythy
- Reviewed by mtrezza
References
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-36475
- WEB https://github.com/parse-community/parse-server/issues/8674
- WEB https://github.com/parse-community/parse-server/issues/8675
- WEB https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
- WEB https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/5.5.2
- WEB https://github.com/parse-community/parse-server/releases/tag/6.2.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes