CVE-2021-39138 Information

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1 when an anonymous user is first signed up using REST the server creates session incorrectly. Particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user the server incorrectly classified the session type as being created with a password. The server does not currently use createdWith to make decisions about internal functions so if a developer is not using createdWith directly they are not affected. The vulnerability only affects users who depend on createdWith by using it directly. The issue is patched in Parse Server version 4.5.1. As a workaround do not use the createdWith Session field to make decisions if one allows anonymous login.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://github.com/parse-community/parse-server/commit/147bd9a3dc43391e92c36e05d5db860b04ca27db https://github.com/parse-community/parse-server/releases/tag/4.5.1 https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5