5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
35.9%
The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.
To prevent this, a new rootCertificateUrl
property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple’s Game Center authentication certificate. If no value is set, the rootCertificateUrl
property defaults to the URL of the current root certificate as of May 27, 2022.
Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer’s responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter.
None.
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | lt | 5.2.2 | |
parse-server | lt | 4.10.11 |
developer.apple.com/news/?id=stttq465
github.com/advisories/GHSA-rh9j-f5f8-rvgc
github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1
github.com/parse-community/parse-server/pull/8054
github.com/parse-community/parse-server/pull/8054/commits/0cc299f82e367518f2fe7a53b99f3f801a338cf4
github.com/parse-community/parse-server/pull/8054/commits/2084b7c569697a5230e42511799eeac9219db5a9
github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc
nvd.nist.gov/vuln/detail/CVE-2022-31083
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
35.9%