Miggo Logo

CVE-2022-31112: Protected fields exposed via LiveQuery

8.2

CVSS Score
3.1

Basic Information

EPSS Score
0.66925%
Published
7/6/2022
Updated
7/24/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-servernpm< 4.10.134.10.13
parse-servernpm>= 5.0.0, < 5.2.45.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing protected field filtering in LiveQuery event handling. Key indicators: 1) The patch added a new _filterSensitiveData method to handle field removal 2) Modified event handlers to call this filtering 3) DatabaseController changes show schema handling improvements 4) Test case specifically checks protected field stripping. The original code only had ad-hoc sessionToken/authData removal but lacked systematic protected field handling via schema definitions, allowing exposure of any fields marked protected in class-level permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*rs* S*rv*r Liv*Qu*ry *o*s not r*mov* prot**t** *i*l*s in *l*ss*s, p*ssin* t**m to t** *li*nt. ### P*t***s T** Liv*Qu*ry*ontroll*r now r*mov*s prot**t** *i*l*s *rom t** *li*nt r*spons*. ### Work*roun*s Us* `P*rs*.*lou*.**t*rLiv*Qu*ry*v

Reasoning

T** vuln*r**ility st*mm** *rom missin* prot**t** *i*l* *ilt*rin* in Liv*Qu*ry *v*nt **n*lin*. K*y in*i**tors: *) T** p*t** ***** * n*w `_*ilt*rS*nsitiv***t*` m*t*o* to **n*l* *i*l* r*mov*l *) Mo*i*i** *v*nt **n*l*rs to **ll t*is *ilt*rin* *) `**t***s