Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-23R4-5MXP-C7G5
HistoryAug 23, 2021 - 7:41 p.m.

parse-server new anonymous user session acts as if it's created with password

2021-08-2319:41:52
CWE-287
CWE-863
GitHub Advisory Database
github.com
57
parse-server
rest api
signup
anonymous user
session
authprovider
_session class
createdwith
password
vulnerability
upgrade
workaround

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

36.7%

JSON

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn’t use createdWith to make decisions on how things work internally, so if a developer isn’t using createdWith directly, there’s nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don’t use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

Affected configurations

Vulners
Node
parseplatformparse_serverRange<4.5.2
VendorProductVersionCPE
parseplatformparse_server*cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*

Related

osv 2
nvd 1
prion 1
cvelist 1
veracode 1
cve 1
osv
osv
BIT-parse-2021-39138
2024-03-06 11:03:49
parse-server new anonymous user session acts as if it's created with password
2021-08-23 19:41:52
nvd
nvd
CVE-2021-39138
2021-08-19 16:15:12
prion
prion
Design/Logic Flaw
2021-08-19 16:15:00
cvelist
cvelist
CVE-2021-39138 New anonymous user session acts as if it's created with password
2021-08-18 21:40:11
veracode
veracode
Privilege Escalation
2021-08-20 02:20:09
cve
cve
CVE-2021-39138
2021-08-19 16:15:12

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

36.7%

JSON
Related for GHSA-23R4-5MXP-C7G5
osv2nvd1prion1cvelist1veracode1cve1