CVE-2020-15270
receiving subscription objects with deleted session
Description
Original Message: Hi, I create objects with one client with an ACL of all users with a specific column value. Thats working so far. Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right. The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established. There should be a mechanism that checks in an specific interval if the session exists. I dont know if its true with expired sessions. Any solutions? Parse version: 4.3.0 Parse js SDK version: 2.17 Solution: Hi guys. I've found and fixed the problem. It happens because there are two caches in place for the session token: - at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds; - at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days. But there are three problems: - cacheTTL has currently no effect over Live Query Server; - cacheTimeout also has currently no effect over Live Query Server; - cacheTimeout actually defaults to 1h. So, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events. What I did: - Added a test case for the problem; - Fixed cacheTTL for Live Query Server; - Fixed cacheTimeout for Live Query Server; - Changed the cacheTimeout to default 5s; - Changed the docs to reflect the actual 5s default for cacheTimeout.
How to fix CVE-2020-15270
To remediate CVE-2020-15270, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.1 or later
- —upgrade to 4.4.0 or later
Is CVE-2020-15270 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.