CVE-2023-32688

parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server-push-adapter/pull/217	Patch
https://github.com/parse-community/parse-server-push-adapter/releases/tag/4.1.3	Release Notes
https://github.com/parse-community/parse-server-push-adapter/security/advisories/GHSA-mxhg-rvwx-x993	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:parseplatform:parse_server_push_adapter:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2023-05-27 04:15

Updated : 2023-06-02 18:58

NVD link : CVE-2023-32688

Mitre link : CVE-2023-32688

CVE.ORG link : CVE-2023-32688

JSON object : View

Products Affected

parseplatform

parse_server_push_adapter

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2023-32688", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2023-05-27T04:15:25.480", "references": [{"url": "https://github.com/parse-community/parse-server-push-adapter/pull/217", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server-push-adapter/releases/tag/4.1.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server-push-adapter/security/advisories/GHSA-mxhg-rvwx-x993", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3.\n"}], "lastModified": "2023-06-02T18:58:42.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse_server_push_adapter:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "38423D6A-6E40-45E2-872C-133EEB239FA6", "versionEndExcluding": "4.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}