Connect with us
X
Categories:

Technology

Prototype pollution project produces another Parse Server RCE

Published

on

Prototype pollution project produces another Parse Server RCE
Share this post:

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON [Binary JSON] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

Patch now

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

‘Complex task’

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

Universal gadgets

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime [to] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Diya Can't Have Enough G-Wills
Music2 weeks ago

[Music] Diya – “Can’t Have Enough” Feat G-Wills

Email Newsletter Marketing Online Website
Technology3 weeks ago

The Vital Role of Email Fraud Detection Software

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Business1 month ago

The Role of Regulation in Crypto Investment: Navigating Legal Frameworks

Volatility in Commodities and How to Deal with It
Business2 months ago

Volatility in Commodities and How to Deal with It

Expanding Living Space
Lifestyle3 months ago

Expanding Living Space: Prefabricated Workshop Building Kits for Extra Rooms

BeBe Winans
Lyrics4 months ago

BeBe Winans – It All Comes Down to Love [Lyrics]

BeBe Winans
Music4 months ago

[Music] BeBe Winans – It All Comes Down to Love

The Countdown Begins to the Tournament That Has It All
ANE Football Analytical4 months ago

AFCON 2023: A Sporting Spectacle Set to Captivate the World

Litecoin: What Makes It The Crypto Winner?
Technology5 months ago

Runny Inflation Can Drive Cryptocurrency Adoption

Black and White French Bulldog puppies Frenchie Joy
Lifestyle5 months ago

Black and White French Bulldog puppies Frenchie Joy

3 Serious Reasons to Keep Your Teenager Away From Social Media
Lifestyle6 months ago

3 Serious Reasons to Keep Your Teenager Away From Social Media

Boxing vs MMA What Makes Them So Different
Sports6 months ago

Boxing vs MMA: What Makes Them So Different

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Technology6 months ago

NFTs and Intellectual Property Rights: Shaping Creative Ownership

The Birth of a Rugby Nation South Africas Love Affair with the Sport
Sports11 months ago

The Birth of a Rugby Nation: South Africa’s Love Affair with the Sport

A Beginner's Guide to Radicle (RAD): The Future of Peer-to-Peer Development
Technology11 months ago

A Beginner’s Guide to Radicle (RAD): The Future of Peer-to-Peer Development

Analysis of Nigeria's Renewable Energy Sector: Opportunities and Challenges
Technology1 year ago

Analysis of Nigeria’s Renewable Energy Sector: Opportunities and Challenges

Casino Gaming Poker
Sports1 year ago

What Are The Various Types Of Online Slots?

Luka Modric celebrates after scoring Real Madrid's second goal against Celta Vigo.
Sports1 year ago

Luka Modric set to join Ronaldo in Saudi Arabia’s Al Nassr

WHO World Health Organization
Health1 year ago

WHO debunks claims that tuberculosis is caused by witchcraft, poison

Atiku Abubakar
News1 year ago

2023 Election: Why DSS must arrest Fani-Kayode – Atiku

PDP Logo Umbrella
News1 year ago

PDP suspends National Chairman

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 03)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 02)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 01)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Complete Episodes)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 16)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 15)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 14)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 13)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 12)

ANE Billboard Hots