parse-server is vulnerable to authentication bypass. The vulnerability exists because the certificate in auth adapter
is not properly validated. An attacker is able to bypass authentication checks by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData
object.
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | le | 4.10.10 | |
parse-server | le | 5.2.1 | |
parse-server | le | 4.10.10 | |
parse-server | le | 5.2.1 |
developer.apple.com/news/?id=stttq465
github.com/parse-community/parse-server/commit/145838d2d9c1ecf76412a962a4ef61c712bcb0a7
github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1
github.com/parse-community/parse-server/pull/8053
github.com/parse-community/parse-server/pull/8054
github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc