SB2020072235 - Improper access control in parse-server

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2020-15126)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the viewer GraphQL query when querying the authenticated user's User object and related objects. A remote user can use the viewer query to bypass read security and disclose sensitive information.

The issue affects the authenticated user's User object and objects linked via relation or pointer on that User object.

Remediation

Install update from vendor's website.

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
• https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa