CVE Catalog

CVE-2021-47987

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

The vulnerability concerns a supply chain incident in Parse Server before version 4.10.0, where incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (e.g., parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.

Risk Assessment

The risk for the organization is the potential exploitation of unauthorized code that could have contained security vulnerabilities, potentially leading to compromise of integrity, confidentiality, or availability of systems using Parse Server.

Recommendation

It is recommended to immediately update Parse Server to version 4.10.0 or later and verify that no git dependencies reference the affected tags (e.g., parse-server#4.9.3).

Original NVD description (English source)

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS