GraphQL: Security breach on Viewer query

Impact

An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Patches

This vulnerability has been patched in Parse Server 4.3.0.

Workarounds

No

References

See commit 78239ac for details.

References

davimacedo published to parse-community/parse-server Jul 22, 2020

Reviewed Jul 22, 2020

Published to the GitHub Advisory Database Jul 22, 2020

Last updated Oct 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits