Parse Server DatabaseController RCE Vulnerability
Parse platform, provides SDKs for various environments (Android, iOS, PHP, .NET, …) as well as managed cloud data storage. When creating mobile apps a lot of the development time goes into managing and scaling the data backend, and building out user authentication, push notifications, and/or social media integration. Parse SDKs and cloud storage allow mobile app developers to quickly build functionality and focus efforts on user facing features.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js:
• Parse Server uses MongoDB or PostgreSQL as a database.
• You can deploy and run Parse Server on your own infrastructure.
• You can develop and test your app locally using Node.
A prototype pollution vulnerability has been reported in Parse Server. This vulnerability is due to improper input validation for the DatabaseController.
A remote, unauthorized attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result, in the worst case, in remote code execution.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-24760.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
A remote unauthenticated attacker uses this exploit to inject properties in Object.prototype, or modify existing ones. Successful exploitation could result in; denial of service as the software encounters objects with unexpected properties, or properties with unexpected values. In the worst case it could lead to the execution of arbitrary code on the target server.
Triggering the Problem:
• The target system must have the vulnerable product installed and running.
• The attacker must have network connectivity to the affected ports.
The attacker first stores a crafted object in the target server. The attacker then updates the object using an update operator. The vulnerability is triggered when the target server processes the update request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 2653 Parse Server Prototype Pollution RCE
The risks posed by this vulnerability can be mitigated or eliminated by:
• Blocking the affected ports from external network access if they are not required.
• Filtering traffic based on the signature above.
• Upgrading the product to a non-vulnerable version.
The vendor has released the following advisory regarding this vulnerability: