CVE-2023-36475 - Vulnerability Details - OpenCVE

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

No data.

References

Link	Providers
https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
https://github.com/parse-community/parse-server/issues/8674
https://github.com/parse-community/parse-server/issues/8675
https://github.com/parse-community/parse-server/releases/tag/5.5.2
https://github.com/parse-community/parse-server/releases/tag/6.2.1
https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6

History

Wed, 27 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-28T22:32:10.081Z

Updated: 2024-11-27T14:44:09.330Z

Reserved: 2023-06-21T18:50:41.703Z

Link: CVE-2023-36475

Vulnrichment

Updated: 2024-08-02T16:45:57.041Z

NVD

Status : Modified

Published: 2023-06-28T23:15:21.140

Modified: 2024-11-21T08:09:47.380

Link: CVE-2023-36475

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-21T18:50:41.703Z", "datePublished": "2023-06-28T22:32:10.081Z", "dateUpdated": "2024-11-27T14:44:09.330Z"}, "containers": {"cna": {"title": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 5.5.2", "status": "affected"}, {"version": ">= 6.0.0, < 6.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-28T22:32:10.081Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."}], "source": {"advisory": "GHSA-462x-c3jw-7vr6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.041Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-27T14:43:51.427204Z", "id": "CVE-2023-36475", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T14:44:09.330Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-21T18:50:41.703Z", "datePublished": "2023-06-28T22:32:10.081Z", "dateUpdated": "2024-11-27T14:44:09.330Z"}, "containers": {"cna": {"title": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 5.5.2", "status": "affected"}, {"version": ">= 6.0.0, < 6.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-28T22:32:10.081Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."}], "source": {"advisory": "GHSA-462x-c3jw-7vr6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.041Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"name": "https://github.com/parse-community/parse-server/issues/8674", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"name": "https://github.com/parse-community/parse-server/issues/8675", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"name": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"name": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-27T14:43:51.427204Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T14:44:05.337Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8059544D-58C9-4AA3-8ABF-C29439C1EF8E", "versionEndExcluding": "5.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "505FD02D-F6D9-4B39-B963-03604E91D129", "versionEndExcluding": "6.2.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 5.5.2 y 6.2.1, un atacante puede utilizar un prototipo de \"pollution sink\" para desencadenar una ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s del analizador BSON de MongoDB. Hay un parche disponible en las versiones 5.5.2 y 6.2.1. "}], "id": "CVE-2023-36475", "lastModified": "2024-11-21T08:09:47.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-28T23:15:21.140", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8674"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/issues/8675"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}