CVE-2020-15270

MEDIUM4.3EPSS 0.25%

receiving subscription objects with deleted session

發布日:2020/10/27修改日:2026/3/13
也稱為:GHSA-2xm2-xj2q-qgpjBIT-parse-2020-15270

描述

Original Message: Hi, I create objects with one client with an ACL of all users with a specific column value. Thats working so far. Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right. The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established. There should be a mechanism that checks in an specific interval if the session exists. I dont know if its true with expired sessions. Any solutions? Parse version: 4.3.0 Parse js SDK version: 2.17 Solution: Hi guys. I've found and fixed the problem. It happens because there are two caches in place for the session token: - at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds; - at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days. But there are three problems: - cacheTTL has currently no effect over Live Query Server; - cacheTimeout also has currently no effect over Live Query Server; - cacheTimeout actually defaults to 1h. So, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events. What I did: - Added a test case for the problem; - Fixed cacheTTL for Live Query Server; - Fixed cacheTimeout for Live Query Server; - Changed the cacheTimeout to default 5s; - Changed the docs to reflect the actual 5s default for cacheTimeout.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(5)