Impact
If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.
Patches
Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.
Workarounds
- Disable custom object IDs by setting
allowCustomObjectId: false or not setting the option which defaults to false.
- Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix
role:.
References
Credits
- Kartal Kaan Bozdoğan (reporter)
- Manuel Trezza (coordinator)
Impact
If the Parse Server option
allowCustomObjectId: trueis set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.Patches
Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.
Workarounds
allowCustomObjectId: falseor not setting the option which defaults tofalse.role:.References
Credits