SB2022092063 - Input validation error in parse-server
Published: September 20, 2022 Updated: May 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2022-39231)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass app ID validation during authentication.
The vulnerability exists due to improper input validation in the Facebook and Spotify authentication adapters when processing authentication requests with the server-side appIds configuration set as a string instead of an array of strings. A remote user can authenticate using a Facebook or Spotify app with a different app ID than the configured one to bypass app ID validation during authentication.
Exploitation requires that authentication through the Facebook or Spotify adapter is enabled and that the assigned app ID from the authentication provider is a subset of the configured app ID.
Remediation
Install update from vendor's website.