SB2019071137 - Observable discrepancy in parse-server

Description

This security bulletin contains information about 1 vulnerability.

1) Observable discrepancy (CVE-ID: CVE-2019-1020013)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information about linked accounts and email addresses.

The vulnerability exists due to improper access control in the account linking functionality when handling account linking requests. A remote attacker can guess account identifiers and observe different error responses to disclose sensitive information about linked accounts and email addresses.

The issue arises because different errors are returned before insufficient authorization is checked.

Remediation

Install update from vendor's website.

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-8w3j-g983-8jh5
• https://github.com/parse-community/parse-server/commit/73b0f9a339b81f5d757725dc557955a7b670a3ec