Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Parse-server | Parseplatform | * | 8.6.18 (excluding) |
| Parse-server | Parseplatform | 9.0.0 (including) | 9.5.2 (excluding) |
| Parse-server | Parseplatform | 9.5.2-alpha1 (including) | 9.5.2-alpha1 (including) |
| Parse-server | Parseplatform | 9.5.2-alpha2 (including) | 9.5.2-alpha2 (including) |
| Parse-server | Parseplatform | 9.5.2-alpha3 (including) | 9.5.2-alpha3 (including) |
| Parse-server | Parseplatform | 9.5.2-alpha4 (including) | 9.5.2-alpha4 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html