Description
The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.2 < 4.10.11** Patched version(s): **5.2.2 4.10.11**
References
- GHSA-rh9j-f5f8-rvgc
- developer.apple.com
- CVE-2022-31083
- CWE-287
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter - CVE-2022-24901
- parse-server auth adapter app ID validation can be circumvented - CVE-2022-39231
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Authentication Bypass in hapi-auth-jwt2 - CVE-2016-10525
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023