Cleartext storage of sensitive information in parse-server

#VU49206 Cleartext storage of sensitive information in parse-server

Published: 2020-12-30

Vulnerability identifier: #VU49206

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26288

CWE-ID: CWE-312

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
parse-server
Web applications / Modules and components for CMS

Vendor: MeetFox

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to application stores passwords involved in LDAP authentication in cleartext. An attacker with ability to access the application can obtain passwords in clear text.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

parse-server: 1.0.0 - 4.4.0

External links
http://www.npmjs.com/advisories/1593
http://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3
http://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a
http://github.com/parse-community/parse-server/releases/tag/4.5.0

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cleartext storage of passwords in parse-server NPM package