Always-Incorrect Control Flow Implementation
CVE-2023-41058
Summary
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger "beforeFind" is not invoked in certain conditions of "Parse.Query". This can pose a vulnerability for deployments where the "beforeFind" trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the "beforeFind" trigger is invoked. This issue affects Parse Server versions prior to 5.5.5, 6.0.x prior to 6.2.2, and 6.3.x prior to 6.3.0-alpha.9. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-670 - Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
References
Advisory Timeline
- Published