Improper Authentication Affecting parse-server package, versions <4.10.16 >=5.0.0 <5.2.7
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PARSESERVER-3029906
- published 22 Sep 2022
- disclosed 21 Sep 2022
- credit KarolisBan
Introduced: 21 Sep 2022
CVE-2022-39231 Open this link in a new tabHow to fix?
Upgrade parse-server
to version 4.10.16, 5.2.7 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Improper Authentication when the server-side authentication adapter configuration appIds
is set as a string instead of an array of strings. The vulnerability makes it possible to authenticate requests coming from a Facebook or Spotify app with a different app ID
than the one specified in the appIds
configuration.
Note:
This vulnerability affects environments with configurations that allow users to authenticate using the Parse Server authentication adapter for Facebook
or Spotify
.