CVE-2023-41058
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
Description
### Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the `beforeFind` query trigger which can be an additional vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify an incoming query. ### Patches The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the `beforeFind` trigger. ### Workarounds There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a `beforeFind` trigger is used as a security layer is to instead use the Parse Server provided [security layers](https://docs.parseplatform.org/parse-server/guide/#security) to manage access levels with Class-Level Permissions and Object-Level Access Control. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q - Patched in Parse Server 6.x: https://github.com/parse-community/parse-server/releases/tag/6.2.2 - Patched in Parse Server 5.x (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.5
How to fix CVE-2023-41058
To remediate CVE-2023-41058, upgrade the affected package to a fixed version below.
- —upgrade to 5.5.5 or later
- —upgrade to 5.5.5 or later
Is CVE-2023-41058 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.5.5, >= 6.0.0, < 6.2.2