CVE-2022-41879, GHSA-93vw-8fm5-p2jf, GMS-2022-6745
npm/parse-server
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist
option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.
All versions before 4.10.20, all versions starting from 5.0.0 before 5.3.3
Upgrade to versions 4.10.20, 5.3.3 or above.
2022-11-18
source |