CVE-2020-26288 Information

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package \parse-server. In Parse Server before version 4.5.0 user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/parse-community/parse-server/releases/tag/4.5.0 https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3 https://www.npmjs.com/package/parse-server

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5