CVE-2022-31112

Description

### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ### Workarounds Use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh - https://github.com/parse-community/parse-server ### For more information If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)

How to fix CVE-2022-31112

To remediate CVE-2022-31112, upgrade the affected package to a fixed version below.

• —upgrade to 4.10.13 or later
• —upgrade to 4.10.13 or later

Is CVE-2022-31112 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.10.13, >= 5.0.0, < 5.2.4
• from 0, < 4.10.13

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31112
• PATCHgithub.com/parse-community/parse-server
• WEBgithub.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375
• WEBgithub.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1