Parse Server's custom object ID allows to acquire role privileges
High severity
GitHub Reviewed
Published
Oct 4, 2024
in
parse-community/parse-server
•
Updated Nov 13, 2024
Description
Published by the National Vulnerability Database
Oct 4, 2024
Published to the GitHub Advisory Database
Oct 4, 2024
Reviewed
Oct 4, 2024
Last updated
Nov 13, 2024
Impact
If the Parse Server option
allowCustomObjectId: true
is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.Patches
Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.
Workarounds
allowCustomObjectId: false
or not setting the option which defaults tofalse
.role:
.References
References