SCA: security update for parse-server (GHSA-vm5r-c87r-pf6x)

high Tenable Self-Hosted Container Security Plugin ID 419402

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server
doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value
of the header. The incorrect client IP address will be used by various features in Parse Server. This
allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an
allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1.
The mechanism to determine the client IP address has been rewritten. The correct IP address determination
now requires to set the Parse Server option `trustProxy`. (CVE-2023-22474)

See Also

https://github.com/advisories/GHSA-vm5r-c87r-pf6x

Plugin Details

Severity: High

ID: 419402

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2023-22474

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/31/2023

Vulnerability Publication Date: 1/31/2023

Reference Information

CVE: CVE-2023-22474

cwe: CWE-290