CVE-2020-15270
published 2020-10-22CVE-2020-15270: Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired…
PriorityP419medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
1.15%
62.9th percentile
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | <= 4.3.0 | — |
| parse-community | parse-server | >= 0 < 4.4.0 | 4.4.0 |
| parseplatform | parse-server | <= 4.3.0 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
receiving subscription objects with deleted session
osv·2020-10-27
CVE-2020-15270 [MEDIUM] receiving subscription objects with deleted session
receiving subscription objects with deleted session
Original Message:
Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them.
The client with the deleted session cant create new objects, which Parse restricts right.
The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established.
There should be a mechanism that checks in an specific interval if the session exists.
I dont know if its true with expired sessions.
Any solutions?
Parse version: 4.3.0
Parse js SDK version: 2.17
Solution:
Hi guys.
I've found and fixed the problem. It happens because there are two caches in place
GHSA
receiving subscription objects with deleted session
ghsa·2020-10-27
CVE-2020-15270 [MEDIUM] CWE-672 receiving subscription objects with deleted session
receiving subscription objects with deleted session
Original Message:
Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them.
The client with the deleted session cant create new objects, which Parse restricts right.
The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established.
There should be a mechanism that checks in an specific interval if the session exists.
I dont know if its true with expired sessions.
Any solutions?
Parse version: 4.3.0
Parse js SDK version: 2.17
Solution:
Hi guys.
I've found and fixed the problem. It happens because there are two caches in place
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpjhttps://npmjs.com/parse-serverhttps://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpjhttps://npmjs.com/parse-server
2020-10-22
Published