Home > Vulnerability Database > CVE-2023-36475

Mend.io Vulnerability Database

CVE-2023-36475

Good to know:

Date: June 28, 2023

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

Language: JS

Severity Score

9.8

Related Resources (9)

Url: https://github.com/parse-community/parse-server/issues/8674

Url: https://github.com/parse-community/parse-server/issues/8675

Url: https://github.com/parse-community/parse-server/releases/tag/6.2.1

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-36475

Url: https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6

Url: https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90

Url: https://github.com/parse-community/parse-server/releases/tag/5.5.2

Url: https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f

Url: https://www.mend.io/vulnerability-database/CVE-2023-36475

Severity Score

9.8

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version parse-server - 5.5.2,6.2.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-36475

Good to know:

Date: June 28, 2023

Language: JS

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?