Parse Dashboard Cache Key Collision Vulnerability Leading to Master Key Leakage

A vulnerability exists in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7, where the `ConfigKeyCache` improperly uses the same cache key for both master keys and read-only master keys when handling function-typed keys. This flaw can allow, under certain timing conditions, a read-only user to access the full master key from the cache, or a regular user to obtain the read-only master key.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive keys, allowing for potential misuse of application functions or data management capabilities.

Reproduction

The vulnerability can be reproduced by configuring a Parse Dashboard application with function-typed master keys. A user with read-only privileges can then access the full master key, while a regular user can obtain the read-only master key, due to the cache key collision.

Remediation

Users can upgrade to Parse Dashboard version 9.0.0-alpha.8 or later, where this vulnerability has been patched. Alternatively, avoid using function-typed master keys or remove the `agent` configuration block from the dashboard settings.