CVE-2020-15126 — GraphQL: Security breach on Viewer query

Description

### Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. ### Patches This vulnerability has been patched in Parse Server 4.3.0. ### Workarounds No ### References See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.

How to fix CVE-2020-15126

To remediate CVE-2020-15126, upgrade the affected package to a fixed version below.

—upgrade to 4.3.0 or later

Is CVE-2020-15126 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.5.0, < 4.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15126
WEBgithub.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
WEBgithub.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
WEBgithub.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73