Skip to content

ZDI-CAN-18806: Prototype pollution via Cloud Code Webhooks

High
mtrezza published GHSA-93vw-8fm5-p2jf Nov 9, 2022

Package

npm parse-server (npm)

Affected versions

(<4.10.20) || (>=5.0.0 <5.3.3)

Patched versions

(>=4.10.20 <5.0.0) || (>=5.3.3)

Description

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-41879

Weaknesses

No CWEs