Headline
GHSA-qf8x-vqjv-92gr: Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-24901
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
High severity GitHub Reviewed Published May 4, 2022 in parse-community/parse-server • Updated May 13, 2022
Vulnerability details Dependabot alerts 0
Package
npm parse-server (npm )
Affected versions
< 4.10.10
>= 5.0.0, < 5.2.1
Patched versions
4.10.10
5.2.1
Description
Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.
References
- GHSA-qf8x-vqjv-92gr
- https://nvd.nist.gov/vuln/detail/CVE-2022-24901
- parse-community/parse-server@af4a041
mtrezza published the maintainer security advisory
May 1, 2022
Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-287 CWE-295
CVE ID
CVE-2022-24901
GHSA ID
GHSA-qf8x-vqjv-92gr
Source code
parse-community/parse-server/
Credits
- yoshmidev
- kurt-r2c
This advisory has been edited. See History.
See something to contribute? Suggest improvements for this vulnerability.