CVE-2022-31083

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.11 and 5.2.2

Description The issue is related to the lack of validation of the certificate in the Parse Server Apple Game Center auth adapter. This could potentially allow authentication to be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.

Recommendations For versions prior to 4.10.11 and 5.2.2, update to version 4.10.11 or 5.2.2 to introduce a new rootCertificateUrl property to the Parse Server Apple Game Center auth adapter, which takes the URL to the root certificate of Apple's Game Center authentication certificate. Ensure the rootCertificateUrl property is kept up-to-date as the root certificate can change at any time.