MEDIUM 6.5

GHSA-236h-rqv8-8q73

GraphQL: Security breach on Viewer query

Details

### Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

### Patches This vulnerability has been patched in Parse Server 4.3.0.

### Workarounds No

### References See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / parse-server

Introduced in: 3.5.0 Fixed in: 4.3.0

Fix npm install parse-server@4.3.0

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2020-15126 [ADVISORY]
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa [WEB]
https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430 [WEB]