Parse Server stores password in plain text
CVE-2020-26288

7.7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
30 December 2020

What is CVE-2020-26288?

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

Affected Version(s)

parse-server < 4.5.0

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/commit/da...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.