The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.
To prevent this, a new rootCertificateUrl
property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple’s Game Center authentication certificate. If no value is set, the rootCertificateUrl
property defaults to the URL of the current root certificate as of May 27, 2022.
Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer’s responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter.
None.
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | lt | 5.2.2 | |
parse-server | ge | 5.0.0 | |
parse-server | lt | 4.10.11 |
developer.apple.com/news/?id=stttq465
github.com/parse-community/parse-server
github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1
github.com/parse-community/parse-server/pull/8054
github.com/parse-community/parse-server/pull/8054/commits/0cc299f82e367518f2fe7a53b99f3f801a338cf4
github.com/parse-community/parse-server/pull/8054/commits/2084b7c569697a5230e42511799eeac9219db5a9
github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc
nvd.nist.gov/vuln/detail/CVE-2022-31083