Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade parse-server from 2.3.2 to 4.10.17 #272

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade parse-server from 2.3.2 to 4.10.17 #272

wants to merge 1 commit into from

Conversation

ninadhatkar
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • appengine/parse-server/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-PARSESERVER-3052851		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: parse-server The new version differs by 250 commits.
  • 041e604 chore(release): 4.10.17 [skip ci]
  • 3d7a61e fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) (#8236)
  • f03bf00 chore(release): 4.10.16 [skip ci]
  • b3e7939 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8186)
  • 9d50226 chore(release): 4.10.15 [skip ci]
  • 7ca9ed0 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8183)
  • e29f7c0 chore(release): 4.10.14 [skip ci]
  • 634c44a fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8143)
  • 4748e9b chore(release): 4.10.13 [skip ci]
  • 054f3e6 fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (#8074)
  • 6286d2e chore(release): 4.10.12 [skip ci]
  • 5f42322 fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8059)
  • ad680bd chore(release): 4.10.11 [skip ci]
  • 145838d fix: certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc))
  • 8580a52 fix CI timeout
  • 53afafa Update gcenter.js
  • c411c48 Create game_center.pem
  • 07786c1 fix adapter
  • b00b041 chore(release): 4.10.10 [skip ci]
  • 1930a64 fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7963)
  • cd354b7 chore(release): 4.10.9 [skip ci]
  • 3d80ee5 fix: security upgrade @ parse/push-adapter from 3.4.1 to 4.1.2 (#7897)
  • bf88869 chore(release): 4.10.8 [skip ci]
  • d347613 fix: sensitive keyword detection may produce false positives (#7883)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

@snyk-bot snyk-bot mentioned this pull request Jan 10, 2023
Open
@ninadhatkar ninadhatkar mentioned this pull request Jul 13, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ninadhatkar @snyk-bot