Skip to main content

Always-Incorrect Control Flow Implementation

CVE-2023-41058

Severity High
Score 7.5/10

Summary

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger "beforeFind" is not invoked in certain conditions of "Parse.Query". This can pose a vulnerability for deployments where the "beforeFind" trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the "beforeFind" trigger is invoked. This issue affects Parse Server versions prior to 5.5.5, 6.0.x prior to 6.2.2, and 6.3.x prior to 6.3.0-alpha.9. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-670 - Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Advisory Timeline

  • Published