CVE-2022-31083 – Authentication bypass in Parse Server Apple Game Center auth adapter
https://notcve.org/view.php?id=CVE-2022-31083
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. • https://developer.apple.com/news/?id=stttq465 https://github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1 https://github.com/parse-community/parse-server/pull/8054 https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •
CVE-2022-24901 – Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
https://notcve.org/view.php?id=CVE-2022-24901
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it. Una comprobación inapropiada de la URL del certificado de Apple en el adaptador de autenticación de Apple Game Center permite a atacantes omitir la autenticación, haciendo que el servidor sea vulnerable a ataques DoS. La vulnerabilidad ha sido corregido al mejorar la cmprobación de la URL y añadiendo comprobaciones adicionales del recurso al que apunta la URL antes de descargarlo • https://github.com/parse-community/parse-server/security/advisories/GHSA-qf8x-vqjv-92gr • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •
CVE-2022-24760 – Command Injection in Parse server
https://notcve.org/view.php?id=CVE-2022-24760
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. • https://github.com/tuo4n8/CVE-2022-24760 https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2021-41109 – LiveQuery publishes user session tokens
https://notcve.org/view.php?id=CVE-2021-41109
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up. • https://github.com/parse-community/parse-server/commit/4ac4b7f71002ed4fbedbb901db1f6ed1e9ac5559 https://github.com/parse-community/parse-server/releases/tag/4.10.4 https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-39187 – Crash server with query parameter
https://notcve.org/view.php?id=CVE-2021-39187
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist. • https://github.com/parse-community/parse-server/commit/308668c89474223e2448be92d6823b52c1c313ec https://github.com/parse-community/parse-server/releases/tag/4.10.3 https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w826-hh6x https://jira.mongodb.org/browse/NODE-3463 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-755: Improper Handling of Exceptional Conditions •