Headline
Parse Server fixes brute-forcing bug that put sensitive user data at risk
Open source project provides push notification functionality for iOS, macOS, Android, and tvOS
Adam Bannister 20 September 2022 at 14:57 UTC
Open source project provides push notification functionality for iOS, macOS, Android, and tvOS
A security flaw in Parse Server that enabled brute-force guessing of sensitive user data on the API server module for Node.js and the Express WAF has been patched.
Parse Server is a popular open source project that provides push notification functionality for iOS, macOS, Android, and Apple TV operating system tvOS.
“Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints,” reads a description of the vulnerability in a GitHub advisory published on Friday (September 16).
Read more of the latest cybersecurity vulnerability news
“Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.”
Tracked as CVE-2022-36079, the high severity issue was assigned a CVSS rating of 8.6 by GitHub but 7.5 by the National Institute of Standards and Technology (NIST). Attack complexity was deemed ‘low’.
Update and workaround
The bug was patched in versions 4.10.14 and 5.2.5 of the parse-server NPM package with all prior versions on these release lines affected. The fix mandates that the master key uses internal and protected fields as query constraints.
A workaround is also available for developers who are unable to update their systems immediately. “Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints,” explained the advisory.
Other significant security bugs addressed in Parse Server this year include a high severity authentication bypass impacting Apple Game Center, disclosed in June, and a prototype pollution, maximum severity vulnerability disclosed in March that would “likely affect Postgres and any other database backend”.
RECOMMENDED ‘Security teams often fight against developers taking control’ of AppSec: Tanya Janca on the drive to DevSecOps adoption
Related news
### Impact Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. ### Patches The patch requires the maser key to use internal and protected fields as query constraints. ### Workarounds Implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as: ```js Parse.Cloud.beforeFind('TestObject', ({ query }) => { for (const key in query._where || []) { // Repeat logic for protected fields if (key.charAt(0) === '_') { delete query._where[key]; } } }); ``` ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.