Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

Remediation

References

https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a

https://github.com/parse-community/parse-server/releases/tag/4.5.0

https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3

https://www.npmjs.com/package/parse-server

Related Vulnerabilities

CVE-2022-23596 Vulnerability in maven package com.github.junrar:junrar

CVE-2022-41250 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient

CVE-2017-18352 Vulnerability in npm package rendertron-middleware

CVE-2021-32827 Vulnerability in maven package org.mock-server:mockserver-core

CVE-2022-37616 Vulnerability in maven package org.webjars.npm:xmldom__xmldom

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Release Notes Product NVD-CWE-noinfo