ghsa-2xm2-xj2q-qgpj
Vulnerability from github
Published
2020-10-27 19:15
Modified
2021-10-06 22:02
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
receiving subscription objects with deleted session
Details

Original Message: Hi,

I create objects with one client with an ACL of all users with a specific column value. Thats working so far.

Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right.

The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established. There should be a mechanism that checks in an specific interval if the session exists. I dont know if its true with expired sessions.

Any solutions?

Parse version: 4.3.0 Parse js SDK version: 2.17

Solution: Hi guys.

I've found and fixed the problem. It happens because there are two caches in place for the session token:

  • at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds;
  • at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days.

But there are three problems:

  • cacheTTL has currently no effect over Live Query Server;
  • cacheTimeout also has currently no effect over Live Query Server;
  • cacheTimeout actually defaults to 1h.

So, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events.

What I did:

  • Added a test case for the problem;
  • Fixed cacheTTL for Live Query Server;
  • Fixed cacheTimeout for Live Query Server;
  • Changed the cacheTimeout to default 5s;
  • Changed the docs to reflect the actual 5s default for cacheTimeout.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-22T21:12:08Z",
    "nvd_published_at": "2020-10-22T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Original Message:\nHi,\n\nI create objects with one client with an ACL of all users with a specific column value. Thats working so far.\n\nThen I deleted the session object from one user to look if he can receive subscription objects and he can receive them.\nThe client with the deleted session cant create new objects, which Parse restricts right.\n\nThe LiveQueryServer doesnt detect deleted sessions after the websocket connection was established.\nThere should be a mechanism that checks in an specific interval if the session exists.\nI dont know if its true with expired sessions.\n\nAny solutions?\n\nParse version: 4.3.0\nParse js SDK version: 2.17\n\nSolution:\nHi guys.\n\nI\u0027ve found and fixed the problem. It happens because there are two caches in place for the session token:\n\n- at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds;\n- at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days.\n\nBut there are three problems:\n\n- cacheTTL has currently no effect over Live Query Server;\n- cacheTimeout also has currently no effect over Live Query Server;\n- cacheTimeout actually defaults to 1h.\n\nSo, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events.\n\nWhat I did:\n\n- Added a test case for the problem;\n- Fixed cacheTTL for Live Query Server;\n- Fixed cacheTimeout for Live Query Server;\n- Changed the cacheTimeout to default 5s;\n- Changed the docs to reflect the actual 5s default for cacheTimeout.\n\n",
  "id": "GHSA-2xm2-xj2q-qgpj",
  "modified": "2021-10-06T22:02:05Z",
  "published": "2020-10-27T19:15:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "receiving subscription objects with deleted session"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.