Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

Remediation

References

https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a

https://github.com/parse-community/parse-server/releases/tag/4.5.0

https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3

https://www.npmjs.com/package/parse-server

Related Vulnerabilities

CVE-2022-28367 Vulnerability in maven package org.owasp:antisamy

CVE-2023-34247 Vulnerability in npm package @keystone-6/auth

CVE-2020-28424 Vulnerability in npm package s3-kilatstorage

CVE-2023-26129 Vulnerability in npm package bwm-ng

CVE-2020-10693 Vulnerability in maven package org.hibernate.validator:hibernate-validator

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Release Notes Product NVD-CWE-noinfo