GitHub Advisory DatabaseGHSA-4W46-W44M-3JQ3Parse Server stores password in plain text
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
39.6%
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext.
This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| parseplatform | parse_server | * | cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-4w46-w44m-3jq3
github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a
github.com/parse-community/parse-server/releases/tag/4.5.0
github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3
nvd.nist.gov/vuln/detail/CVE-2020-26288
www.npmjs.com/advisories/1593
www.npmjs.com/package/parse-server
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
39.6%