Impact
Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.
Patches
The LiveQueryController now removes protected fields from the client response.
Workarounds
Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
- https://github.com/parse-community/parse-server
For more information
If you have any questions or comments about this advisory:
- For questions or comments about this vulnerability visit our community forum or community chat
- Report other vulnerabilities at report.parseplatform.org
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
- https://nvd.nist.gov/vuln/detail/CVE-2022-31112
- https://github.com/parse-community/parse-server/issues/8073
- https://github.com/parse-community/parse-server/pull/8074
- https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1
- https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6
- https://github.com/parse-community/parse-server/releases/tag/5.2.4
- https://github.com/advisories/GHSA-crrq-vr9j-fxxh