Login Sign Up

CVE-2022-31083

8.6 HIGH
Authentication Bypass

📋 TL;DR

Parse Server's Apple Game Center authentication adapter had a certificate validation flaw that allowed attackers to bypass authentication by providing a fake certificate URL. This affects all Parse Server deployments using Apple Game Center authentication before versions 4.10.11 and 5.2.2. The vulnerability enables unauthorized access to protected resources.

💻 Affected Systems

Products:
  • Parse Server
Versions: All versions before 4.10.11 and 5.2.2
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Apple Game Center authentication adapter.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized users to access protected data and functionality as authenticated users.

🟠

Likely Case

Unauthorized access to user accounts and protected resources through Game Center authentication.

🟢

If Mitigated

Proper certificate validation prevents all authentication bypass attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires ability to host fake certificate on Apple domains and craft authData object.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.11 or 5.2.2

Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc

Restart Required: Yes

Instructions:

1. Update Parse Server to version 4.10.11 or 5.2.2. 2. Configure rootCertificateUrl property in Apple Game Center auth adapter. 3. Restart the Parse Server instance.

🔧 Temporary Workarounds

Disable Apple Game Center Authentication

all

Temporarily disable Apple Game Center authentication until patching is possible.

Remove or comment out Game Center auth adapter configuration in parse-server config

🧯 If You Can't Patch

  • Disable Apple Game Center authentication entirely
  • Implement additional authentication layers and monitoring for Game Center auth attempts

🔍 How to Verify

Check if Vulnerable:

Check Parse Server version and verify if using Apple Game Center authentication with versions below 4.10.11 or 5.2.2.

Check Version:

npm list parse-server

Verify Fix Applied:

Verify Parse Server version is 4.10.11 or 5.2.2 and rootCertificateUrl is configured in Game Center auth adapter.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns from Game Center
  • Failed certificate validation attempts
  • Authentication attempts with custom certificate URLs

Network Indicators:

  • Requests to non-standard Apple certificate URLs
  • Authentication attempts with modified authData objects

SIEM Query:

source="parse-server" AND (event="authentication" AND adapter="gamecenter") AND (certificate_url NOT CONTAINS "apple.com" OR certificate_validation="failed")

📊 Metadata

CVE ID: CVE-2022-31083
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE: CWE-287
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31083, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)