What is the vulnerability ID for this Parse Server vulnerability?

The vulnerability ID for this Parse Server vulnerability is CVE-2022-39231.

What is the severity of CVE-2022-39231?

The severity of CVE-2022-39231 is low.

Which versions of Parse Server are affected by CVE-2022-39231?

Versions prior to 4.10.16, or from 5.0.0 to 5.2.6 of Parse Server are affected by CVE-2022-39231.

How can an attacker exploit the vulnerability described in CVE-2022-39231?

An attacker can exploit the vulnerability described in CVE-2022-39231 by circumventing the authentication adapter app ID validation for Facebook and Spotify.

Is there a fix available for CVE-2022-39231?

Yes, a fix is available for CVE-2022-39231. It is recommended to update to version 4.10.16 or higher, or version 5.2.7 or higher of Parse Server to mitigate this vulnerability.

Vulnerability/
CVE-2022-39231

low

3.7

CWE

287

23/9/2022

3/8/2024

CVE-2022-39231: Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

First published: Fri Sep 23 2022(Updated: )

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter where `appIds` is set as a string instead of an array of strings authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. For this vulnerability to be exploited, an attacker needs to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. This issue is patched in versions 4.10.16 and 5.2.7. There are no known workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Parseplatform Parse-server	<4.10.16
Parseplatform Parse-server	>=5.0.0<5.2.7

Never miss a vulnerability like this again

Reference Links

https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22

Frequently Asked Questions

What is the vulnerability ID for this Parse Server vulnerability?
The vulnerability ID for this Parse Server vulnerability is CVE-2022-39231.
What is the severity of CVE-2022-39231?
The severity of CVE-2022-39231 is low.
Which versions of Parse Server are affected by CVE-2022-39231?
Versions prior to 4.10.16, or from 5.0.0 to 5.2.6 of Parse Server are affected by CVE-2022-39231.
How can an attacker exploit the vulnerability described in CVE-2022-39231?
An attacker can exploit the vulnerability described in CVE-2022-39231 by circumventing the authentication adapter app ID validation for Facebook and Spotify.
Is there a fix available for CVE-2022-39231?
Yes, a fix is available for CVE-2022-39231. It is recommended to update to version 4.10.16 or higher, or version 5.2.7 or higher of Parse Server to mitigate this vulnerability.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/weakness
agent/author
agent/references
agent/title
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/parseplatform
canonical/parseplatform parse-server
version/parseplatform parse-server/5.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.