Operation on a Resource after Expiration or Release in Parse Server

#VU48082 Operation on a Resource after Expiration or Release in Parse Server

Published: 2020-10-23 | Updated: 2023-01-31

Vulnerability identifier: #VU48082

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15270

CWE-ID: CWE-672

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Parse Server
Web applications / Modules and components for CMS

Vendor: Parse Community

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect session management mechanism that does not properly implement session expiration. A remote attacker with invalidated session token can still receive broadcast events.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Parse Server: 4.0.0 - 4.3.0, 3.0.0 - 3.10.0, 2.0.5 - 2.8.4

External links
http://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
http://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Parse SDK js

Information disclosure in Parse Server