CVE-2023-22474

2023-02-0320:15:10

CWE-290

GitHub_M

web.nvd.nist.gov

cve

parse server

ip address

security

node.js

nvd

vulnerability

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

27.7%

JSON

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn’t run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option masterKeyIps by setting an allowed IP address as the x-forwarded-for header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option trustProxy.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

parseplatformparse-serverRange<5.4.1node.js

VendorProductVersionCPE
parseplatformparse-server*cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
parseplatform	parse-server	*	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

CNA Affected

[
  {
    "vendor": "parse-community",
    "product": "parse-server",
    "versions": [
      {
        "version": "< 5.4.1",
        "status": "affected"
      }
    ]
  }
]