Skip to content

GraphQL: Security breach on Viewer query

High
davimacedo published GHSA-236h-rqv8-8q73 Jul 22, 2020

Package

parse-server (npm/yarn)

Affected versions

>= 3.5.0

Patched versions

4.3.0

Description

Impact

An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Patches

This vulnerability has been patched in Parse Server 4.3.0.

Workarounds

No

References

See commit 78239ac for details.

Severity

High

CVE ID

CVE-2020-15126

Weaknesses

No CWEs

Credits