CRITICAL 9.8
GHSA-462x-c3jw-7vr6
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Details
### Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
### Patches
Prevent prototype pollution in MongoDB database adapter.
### Workarounds
Disable remote code execution through the MongoDB BSON parser.
### Credits
- Discovered by hir0ot working with Trend Micro Zero Day Initiative - Fixed by dbythy - Reviewed by mtrezza
### References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 - https://github.com/advisories/GHSA-prm5-8g2m-24gg
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-36475 [ADVISORY]
- https://github.com/parse-community/parse-server/issues/8674 [WEB]
- https://github.com/parse-community/parse-server/issues/8675 [WEB]
- https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90 [WEB]
- https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/5.5.2 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/6.2.1 [WEB]