CVE-2020-26288
Summary
| CVE | CVE-2020-26288 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-12-30 20:15:00 UTC |
|---|
| Updated | 2021-01-04 21:01:00 UTC |
|---|
| Description | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| parse-server |
MISC |
www.npmjs.com |
Product, Third Party Advisory |
| LDAP auth stores password in plain text · Advisory · parse-community/parse-server · GitHub |
CONFIRM |
github.com |
Third Party Advisory |
| Release 4.5.0 · parse-community/parse-server · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| Merge pull request from GHSA-4w46-w44m-3jq3 · parse-community/parse-server@da905a3 · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983235 Nodejs (npm) Security Update for parse-server (GHSA-4w46-w44m-3jq3)
