Parse Server may crash when uploading file without extension · CVE-2023-46119 · GitHub Advisory Database · GitHub

Parse Server may crash when uploading file without extension

High severity GitHub Reviewed Published Oct 20, 2023 in parse-community/parse-server • Updated Nov 11, 2023

Package

parse-server (npm)

Affected versions

>= 1.0.0, < 5.5.6

>= 6.0.0, < 6.3.1

Patched versions

5.5.6

6.3.1

Description

Impact

Parse Server crashes when uploading a file without extension.

Patches

A permanent fix has been implemented to prevent the server from crashing.

Workarounds

There are no known workarounds.

References

GitHub security advisory: GHSA-792q-q67h-w579
Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1
Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6

References

mtrezza published to parse-community/parse-server

Oct 20, 2023

Published to the GitHub Advisory Database Oct 24, 2023

Reviewed Oct 24, 2023

Published by the National Vulnerability Database

Oct 25, 2023

Last updated Nov 11, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H