Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qf8x-vqjv-92gr: Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

ghsa
#vulnerability#apple#dos#nodejs#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-24901

Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

High severity GitHub Reviewed Published May 4, 2022 in parse-community/parse-server • Updated May 13, 2022

Vulnerability details Dependabot alerts 0

Package

npm parse-server (npm )

Affected versions

< 4.10.10

>= 5.0.0, < 5.2.1

Patched versions

4.10.10

5.2.1

Description

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

References

  • GHSA-qf8x-vqjv-92gr
  • https://nvd.nist.gov/vuln/detail/CVE-2022-24901
  • parse-community/parse-server@af4a041

mtrezza published the maintainer security advisory

May 1, 2022

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE-287 CWE-295

CVE ID

CVE-2022-24901

GHSA ID

GHSA-qf8x-vqjv-92gr

Source code

parse-community/parse-server/

Credits

  • yoshmidev
  • kurt-r2c

This advisory has been edited. See History.

See something to contribute? Suggest improvements for this vulnerability.

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname