CVE-2022-31112 (GCVE-0-2022-31112)
Vulnerability from cvelistv5
Published
2022-06-30 16:40
Modified
2025-04-23 18:05
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.
References
security-advisories@github.com https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 Patch, Third Party Advisory
security-advisories@github.com https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 Patch, Third Party Advisory
security-advisories@github.com https://github.com/parse-community/parse-server/issues/8073 Issue Tracking, Patch, Release Notes, Third Party Advisory
security-advisories@github.com https://github.com/parse-community/parse-server/pull/8074 Patch, Release Notes, Third Party Advisory
security-advisories@github.com https://github.com/parse-community/parse-server/releases/tag/5.2.4 Release Notes, Third Party Advisory
security-advisories@github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/issues/8073 Issue Tracking, Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/pull/8074 Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/releases/tag/5.2.4 Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh Third Party Advisory
Impacted products
Vendor Product Version
parse-community parse-server Version: < 4.10.13
Version: >= 5.0.0, < 5.2.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.403Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/issues/8073"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/pull/8074"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31112",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:53:41.598475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:05:16.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parse-server",
          "vendor": "parse-community",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.10.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-30T16:40:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/issues/8073"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/pull/8074"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
        }
      ],
      "source": {
        "advisory": "GHSA-crrq-vr9j-fxxh",
        "discovery": "UNKNOWN"
      },
      "title": "Protected fields exposed via LiveQuery in parse-server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31112",
          "STATE": "PUBLIC",
          "TITLE": "Protected fields exposed via LiveQuery in parse-server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "parse-server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.10.13"
                          },
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "parse-community"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh",
              "refsource": "CONFIRM",
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
            },
            {
              "name": "https://github.com/parse-community/parse-server/issues/8073",
              "refsource": "MISC",
              "url": "https://github.com/parse-community/parse-server/issues/8073"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/8074",
              "refsource": "MISC",
              "url": "https://github.com/parse-community/parse-server/pull/8074"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1",
              "refsource": "MISC",
              "url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6",
              "refsource": "MISC",
              "url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/5.2.4",
              "refsource": "MISC",
              "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-crrq-vr9j-fxxh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31112",
    "datePublished": "2022-06-30T16:40:13.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:05:16.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31112\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-30T17:15:07.977\",\"lastModified\":\"2024-11-21T07:03:55.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.\"},{\"lang\":\"es\",\"value\":\"Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. En versiones afectadas, Parse Server LiveQuery no elimina los campos protegidos en las clases, pas\u00e1ndolos al cliente. El LiveQueryController ahora elimina los campos protegidos de la respuesta del cliente. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deber\u00e1n usar \\\"Parse.Cloud.afterLiveQueryEvent\\\" para eliminar manualmente los campos protegidos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.10.13\",\"matchCriteriaId\":\"9C3D4EDC-0BE1-411C-93E3-2351A4E7B3D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.2.4\",\"matchCriteriaId\":\"19505592-808A-437A-8893-FA009C4CA575\"}]}]}],\"references\":[{\"url\":\"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/issues/8073\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/pull/8074\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/5.2.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/issues/8073\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/pull/8074\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/5.2.4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/parse-community/parse-server/issues/8073\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/parse-community/parse-server/pull/8074\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/5.2.4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.403Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31112\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:53:41.598475Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:53:43.301Z\"}}], \"cna\": {\"title\": \"Protected fields exposed via LiveQuery in parse-server\", \"source\": {\"advisory\": \"GHSA-crrq-vr9j-fxxh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"parse-community\", \"product\": \"parse-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.10.13\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.2.4\"}]}], \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/parse-community/parse-server/issues/8073\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/pull/8074\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/5.2.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-06-30T16:40:13.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-crrq-vr9j-fxxh\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 4.10.13\"}, {\"version_value\": \"\u003e= 5.0.0, \u003c 5.2.4\"}]}, \"product_name\": \"parse-server\"}]}, \"vendor_name\": \"parse-community\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\", \"name\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/parse-community/parse-server/issues/8073\", \"name\": \"https://github.com/parse-community/parse-server/issues/8073\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/parse-community/parse-server/pull/8074\", \"name\": \"https://github.com/parse-community/parse-server/pull/8074\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\", \"name\": \"https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\", \"name\": \"https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/5.2.4\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/5.2.4\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31112\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Protected fields exposed via LiveQuery in parse-server\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31112\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T18:05:16.778Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-06-30T16:40:13.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.