Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

Remediation

References

https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a

https://github.com/parse-community/parse-server/releases/tag/4.5.0

https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3

https://www.npmjs.com/package/parse-server

Related Vulnerabilities

CVE-2016-2171 Vulnerability in maven package org.apache.portals.jetspeed-2:jetspeed-security

CVE-2023-25158 Vulnerability in maven package org.geotools:gt-jdbc

CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl

CVE-2022-4361 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2017-12161 Vulnerability in maven package org.keycloak:keycloak-core

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Release Notes Product NVD-CWE-noinfo