Parse Server JWT Algorithm Misconfiguration Vulnerability
Parse Server's Google auth adapter improperly handles JWT algorithms, allowing attackers to forge tokens with 'alg: none' for account takeover. The PoC highlights the need for enforcing specific algorithms and key validation.
CVE References
Affected
The vulnerability arises from the Google auth adapter trusting the JWT header's algorithm field, allowing attackers to use 'alg: none' for unsigned tokens. This bypasses authentication, enabling unauthorized access.
The PoC demonstrates that any attacker can forge a token with 'none' algorithm, proving the flaw's severity and the need for defensive measures like enforcing specific algorithms.
{'monitor_traffic': 'Look for tokens with unexpected algorithms or unsigned JWTs in authentication logs. Network monitoring can detect unusual login attempts from unknown users.', 'log_indicators': "Flag log entries with failed authentications using invalid or 'none' algorithm tokens. Analyze user activity spikes linked to Google auth failures."}
{'apply_patches': 'Upgrade to Parse Server 9.3.1-alpha.4 or 8.6.3, which enforce RS256 and use jwks-rsa for key validation.', 'disable_auth_temporarily': "Temporarily disable Google auth if immediate patching isn't possible.", 'enforce_algorithm_policy': 'Configure security policies to only accept specific JWT algorithms like RS256.'}
{'likelihood_exploitation': 'High', 'threat_interest': 'High', 'explanation': 'The vulnerability is critical for authentication, making it a prime target for attackers. Exploiting it requires minimal skill once known, posing significant risks to affected systems.'}
Sources