CVE-2022-39231

Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter where `appIds` is set as a string instead of an array of strings authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. For this vulnerability to be exploited, an attacker needs to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. This issue is patched in versions 4.10.16 and 5.2.7. There are no known workarounds.

Parse Server es un backend de código abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. En versiones anteriores a 4.10.16, o desde la 5.0.0 a 5.2.6, la comprobación del ID de la aplicación del adaptador de autenticación para _Facebook_ y _Spotify_ puede ser omitida. Las configuraciones que permiten a usuarios autenticarse usando el adaptador de autenticación de Parse Server donde "appIds" es establecido como una cadena en lugar de una matriz de cadenas autentican peticiones de una aplicación con un ID de aplicación diferente al especificado en la configuración de "appIds". Para que esta vulnerabilidad pueda ser explotada, un atacante necesita que el proveedor de autenticación le asigne un ID de aplicación que sea un subconjunto del ID de aplicación configurado en el lado del servidor. Este problema está parcheado en versiones 4.10.16 y 5.2.7. No se presentan mitigaciones conocidas.

*Credits: N/A

CVSS Scores

NISTv3.1 3.7

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-09-23 CVE Published
2024-04-15 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (1)

URL	Tag	Source
https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parseplatform Search vendor "Parseplatform"		Parse-server Search vendor "Parseplatform" for product "Parse-server"				< 4.10.16 Search vendor "Parseplatform" for product "Parse-server" and version " < 4.10.16"		node.js		Affected
Parseplatform Search vendor "Parseplatform"		Parse-server Search vendor "Parseplatform" for product "Parse-server"				>= 5.0.0 < 5.2.7 Search vendor "Parseplatform" for product "Parse-server" and version " >= 5.0.0 < 5.2.7"		node.js		Affected