Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 4.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21PatchThird Party Advisory
- https://github.com/parse-community/parse-server/releases/tag/4.5.0Release NotesThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w4Third Party Advisory
- https://www.npmjs.com/package/parse-serverProductThird Party Advisory
- https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21PatchThird Party Advisory
- https://github.com/parse-community/parse-server/releases/tag/4.5.0Release NotesThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w4Third Party Advisory
- https://www.npmjs.com/package/parse-serverProductThird Party Advisory
FAQ
What is CVE-2020-26288?
CVE-2020-26288 is a vulnerability with a CVSS score of 7.7 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involv...
How severe is CVE-2020-26288?
CVE-2020-26288 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26288?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.