This security advisory describes one low risk vulnerability.
1) Cleartext storage of sensitive information
Risk: Low
CVSSv3: 4.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]
CVE-ID: CVE-2020-26288
CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to application stores passwords involved in LDAP authentication in cleartext. An attacker with ability to access the application can obtain passwords in clear text.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
parse-server: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0
CPE
External links
https://www.npmjs.com/advisories/1593https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92ahttps://github.com/parse-community/parse-server/releases/tag/4.5.0
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The ..
Support the originator by clicking the read the rest link below.
