CVE-2020-15270

Name of the Vulnerable Software and Affected Versions Parse Server versions 4.3.0

Description The issue allows clients with expired sessions to still receive subscription objects because Parse Server broadcasts events to all clients without checking if the session token is valid. It is not possible to create subscription objects with invalid session tokens. The problem arises from two caches in place for the session token: one at Parse Server level and one at Parse Live Query level. The cacheTTL option at Parse Server level has no effect over Live Query Server, and the cacheTimeout option at Live Query Server level also has no effect and actually defaults to 1 hour.

Recommendations For Parse Server version 4.3.0, to resolve the issue, consider adjusting the cacheTTL option and liveQueryServerOptions.cacheTimeout to a lower value, such as 5 seconds, to minimize the time frame in which clients with expired sessions can receive subscription objects. Additionally, ensure that the Live Query Server properly checks for session validity to prevent unauthorized access. As a temporary workaround, consider implementing a mechanism to periodically check if the session exists and is valid for clients connected via Live Query Server.