Vulnerability Details : CVE-2022-24760

CVE Name: CVE-2022-24760: Code Execution vulnerability on Parseplatform Parse Server, Microsoft Windows, Canonical Ubuntu Linux
Description: Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
Publish date: 2022-03-12T00:15Z
Last Update: 2022-07-01T16:06Z

CVSS Scores & Vulnerability Types

CVSS Score
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH
Actack VectorNETWORK
Actack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Vulnerability Type(s)Code Execution
CWE ID1321

Products Affected By CVE-2022-24760

# Vendor Product Vulnerable Versions
1 Parseplatform Parse Server 1
2 Microsoft Windows 1
3 Canonical Ubuntu Linux 1

Detail of Verions Affected

# Product Type Vendor Product Version
1 Application Parseplatform Parse Server * Node.Js
2 Operating System Microsoft Windows
3 Operating System Canonical Ubuntu Linux