CVE-2022-41878 - Bypassing Request Keyword Denylist in Parse Server and Potential Exploitation Scenarios

In the world of web development, Parse Server is considered a powerful open source backend that deploys to various infrastructures running Node.js. This flexible backend solution allows developers to create custom web applications and APIs effortlessly. However, in versions preceding 5.3.2 or 4.10.19, a vulnerability has been detected that allows bypassing the requestKeywordDenylist option through the use of Cloud Code Webhooks or Triggers, leading to malicious injections into the Parse Server. This issue is addressed in versions 4.10.19 and 5.3.2, therefore it is highly recommended to upgrade to one of these versions. Nonetheless, if upgrading is not a feasible option, workaround solutions are also offered.

The Vulnerability

CVE-2022-41878 pertains to the vulnerability of Parse Server's requestKeywordDenylist feature, which allows specified keywords to bypass security measures and be stored in the database. The problem arises as untrusted parties can inject these keywords via Cloud Code Webhooks or Triggers, potentially leading to exploitation.

Original References

1. Official Parse Server GitHub Repository
2. CVE-2022-41878 - NVD Details

The Exploit

As the keywords specified in requestKeywordDenylist can potentially bypass security checks, malicious parties could utilize this vulnerability to gain unauthorized access or manipulate data in the Parse Server as they get sizable control over the Webhook endpoints.

Example

Here's a code snippet demonstrating the vulnerability, assuming the Parse Server uses an older version prior to the fix:

// Cloud Code Function
Parse.Cloud.define("injectKeyword", async (request) => {
  const objectToSave = new Parse.Object("ExampleClass");

  // This potentially harmful keyword can bypass the requestKeywordDenylist
  const maliciousKeyword = "$forbiddenKeyword";
  objectToSave.set(maliciousKeyword, "Malicious Data");

  await objectToSave.save();
});

In this example, vulnerable Cloud Code functionality may allow this keyword to be bypassed and stored in the database, leading to potential exploitation.

Workarounds

If upgrading your Parse Server version is not an option at this point in time, the following workarounds can be employed to temporarily counter the risk:

1. Configure your firewall to get it to only allow trusted servers to make requests to the Parse Server Cloud Code Webhooks API.

Conclusion

To avoid security risks, it is highly advisable to upgrade Parse Server to version 4.10.19 or 5.3.2, as this will resolve the issue associated with CVE-2022-41878. However, if this is not feasible, workarounds such as configuring your firewall appropriately or blocking the webhooks API can also be considered as temporary solutions. Make sure to continue following security best practices and keep a watchful eye for any new vulnerabilities or updates in the future.

Timeline

Published on: 11/10/2022 23:15:00 UTC
Last modified on: 11/15/2022 20:00:00 UTC