Executive Summary

This vulnerability affects Parse Server versions prior to 9.6.0-alpha.29 and 8.6.49. It allows a user to sign up without providing any credentials by sending an empty `authData` object. This bypasses the usual requirement for a username and password, enabling the creation of authenticated sessions without proper authentication, even if anonymous users are disabled.

The issue was fixed by treating empty or non-actionable `authData` the same as absent `authData` during credential validation for new user creation, thus enforcing the requirement for username and password when no valid authentication provider data is present.

As a workaround before the fix, developers could use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username or password is provided.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users to create authenticated sessions without valid credentials. This means attackers could gain access to the system as authenticated users without providing a username or password.

Such unauthorized access could lead to potential misuse of the system, unauthorized data access, or manipulation of user accounts, compromising the security and integrity of the application.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Parse Server to version 9.6.0-alpha.29 or 8.6.49 or later, where the issue is fixed.

As a workaround, implement a Cloud Code beforeSave trigger on the _User class to reject signups where the authData object is empty and no username or password is provided.

Useful 0 Not Useful 0