Improper Certificate Validation in Parse Server

#VU64723 Improper Certificate Validation in Parse Server

Published: 2022-06-27

Vulnerability identifier: #VU64723

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31083

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Parse Server
Web applications / Modules and components for CMS

Vendor: Parse Community

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing certificate validation in Apple Game Center auth adapter. A remote attacker can issue a fake certificate accessible via certain Apple domains, provide the URL to that certificate in an authData object and bypass authentication.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Parse Server: 4.0.0 - 4.10.10

External links
http://developer.apple.com/news/?id=stttq465
http://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc
http://github.com/parse-community/parse-server/pull/8054
http://github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authentication bypass in Apple Game Center