SCA: security update for parse-server (GHSA-2m6g-crv8-p3c6)

high Tenable Self-Hosted Container Security Plugin ID 408979

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user
defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and
are only returned to the client using a valid master key. However, using query constraints, these fields
can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response
object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and
protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and
manually remove the query constraints. (CVE-2022-36079)

See Also

https://github.com/advisories/GHSA-2m6g-crv8-p3c6

Plugin Details

Severity: High

ID: 408979

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2022-36079

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/7/2022

Reference Information

CVE: CVE-2022-36079

cwe: CWE-200