Improper Authentication Affecting parse-server package, versions <4.10.16 >=5.0.0 <5.2.7


Severity

0.0
low
0
10

    Threat Intelligence

    EPSS
    0.07% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-PARSESERVER-3029906
  • published 22 Sep 2022
  • disclosed 21 Sep 2022
  • credit KarolisBan

How to fix?

Upgrade parse-server to version 4.10.16, 5.2.7 or higher.

Overview

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication when the server-side authentication adapter configuration appIds is set as a string instead of an array of strings. The vulnerability makes it possible to authenticate requests coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.

Note: This vulnerability affects environments with configurations that allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify.

CVSS Scores

version 3.1
Expand this section

Snyk

3.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

3.7 low