Bitnami package
parse
pkg:bitnami/parse
Vulnerabilities (104)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-27298 | — | < 6.5.0 | 6.5.0 | Mar 1, 2024 | parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20. | ||
| CVE-2023-46119 | — | >= 1.0.0, < 5.5.6 | 5.5.6 | Oct 25, 2023 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1. | ||
| CVE-2023-41058 | — | < 5.5.5 | 5.5.5 | Sep 4, 2023 | Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the i | ||
| CVE-2023-36475 | — | < 5.5.2 | 5.5.2 | Jun 28, 2023 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in ve | ||
| CVE-2023-32689 | — | < 5.4.4 | 5.4.4 | May 30, 2023 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file t | ||
| CVE-2023-22474 | — | < 5.4.1 | 5.4.1 | Feb 3, 2023 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header | ||
| CVE-2022-41879 | — | < 4.10.20 | 4.10.20 | Nov 10, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `r | ||
| CVE-2022-41878 | — | < 4.10.19 | 4.10.19 | Nov 10, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This | ||
| CVE-2022-39396 | — | < 4.10.18 | 4.10.18 | Nov 10, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution s | ||
| CVE-2022-39313 | — | < 4.10.17 | 4.10.17 | Oct 24, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. Th | ||
| CVE-2022-39231 | — | < 4.10.16 | 4.10.16 | Sep 23, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which all | ||
| CVE-2022-39225 | — | < 4.10.15 | 4.10.15 | Sep 23, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attac | ||
| CVE-2022-36079 | — | < 4.10.14 | 4.10.14 | Sep 7, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are | ||
| CVE-2022-31112 | — | < 4.10.13 | 4.10.13 | Jun 30, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from t | ||
| CVE-2022-31089 | — | < 4.10.12 | 4.10.12 | Jun 27, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, | ||
| CVE-2022-31083 | — | < 4.10.11 | 4.10.11 | Jun 17, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed | ||
| CVE-2022-24901 | — | < 4.10.10 | 4.10.10 | May 4, 2022 | Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks o | ||
| CVE-2022-24760 | — | < 4.10.7 | 4.10.7 | Mar 11, 2022 | Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the | ||
| CVE-2021-41109 | — | < 4.10.4 | 4.10.4 | Sep 30, 2021 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a Li | ||
| CVE-2021-39187 | — | < 4.10.3 | 4.10.3 | Sep 2, 2021 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver whi |
- CVE-2024-27298Mar 1, 2024affected < 6.5.0fixed 6.5.0
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
- CVE-2023-46119Oct 25, 2023affected >= 1.0.0, < 5.5.6fixed 5.5.6
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
- CVE-2023-41058Sep 4, 2023affected < 5.5.5fixed 5.5.5
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the i
- CVE-2023-36475Jun 28, 2023affected < 5.5.2fixed 5.5.2
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in ve
- CVE-2023-32689May 30, 2023affected < 5.4.4fixed 5.4.4
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file t
- CVE-2023-22474Feb 3, 2023affected < 5.4.1fixed 5.4.1
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header
- CVE-2022-41879Nov 10, 2022affected < 4.10.20fixed 4.10.20
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `r
- CVE-2022-41878Nov 10, 2022affected < 4.10.19fixed 4.10.19
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This
- CVE-2022-39396Nov 10, 2022affected < 4.10.18fixed 4.10.18
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution s
- CVE-2022-39313Oct 24, 2022affected < 4.10.17fixed 4.10.17
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. Th
- CVE-2022-39231Sep 23, 2022affected < 4.10.16fixed 4.10.16
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which all
- CVE-2022-39225Sep 23, 2022affected < 4.10.15fixed 4.10.15
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attac
- CVE-2022-36079Sep 7, 2022affected < 4.10.14fixed 4.10.14
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are
- CVE-2022-31112Jun 30, 2022affected < 4.10.13fixed 4.10.13
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from t
- CVE-2022-31089Jun 27, 2022affected < 4.10.12fixed 4.10.12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster,
- CVE-2022-31083Jun 17, 2022affected < 4.10.11fixed 4.10.11
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed
- CVE-2022-24901May 4, 2022affected < 4.10.10fixed 4.10.10
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks o
- CVE-2022-24760Mar 11, 2022affected < 4.10.7fixed 4.10.7
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the
- CVE-2021-41109Sep 30, 2021affected < 4.10.4fixed 4.10.4
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a Li
- CVE-2021-39187Sep 2, 2021affected < 4.10.3fixed 4.10.3
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver whi
Page 5 of 6