CVE-2023-46119

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe	Patch
https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0	Patch
https://github.com/parse-community/parse-server/releases/tag/5.5.6	Release Notes
https://github.com/parse-community/parse-server/releases/tag/6.3.1	Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

History

No history.

Information

Published : 2023-10-25 18:17

Updated : 2023-11-01 17:09

NVD link : CVE-2023-46119

Mitre link : CVE-2023-46119

CVE.ORG link : CVE-2023-46119

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal

{"id": "CVE-2023-46119", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-25T18:17:36.183", "references": [{"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.\n\n"}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. Parse Server falla al cargar un archivo sin extensi\u00f3n. Esta vulnerabilidad ha sido parcheada en las versiones 5.5.6 y 6.3.1."}], "lastModified": "2023-11-01T17:09:01.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DD729BE7-3FF0-420D-BB40-5CC4D7AAA89A", "versionEndExcluding": "5.5.6", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E2229024-7226-4410-85D7-80CDA49F303B", "versionEndExcluding": "6.3.1", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}