Vulnerability Details : CVE-2020-26288
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
Products affected by CVE-2020-26288
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26288
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26288
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
3.1
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2020-26288
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-26288
-
https://www.npmjs.com/package/parse-server
parse-server - npmProduct;Third Party Advisory
-
https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3
LDAP auth stores password in plain text · Advisory · parse-community/parse-server · GitHubThird Party Advisory
-
https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a
Merge pull request from GHSA-4w46-w44m-3jq3 · parse-community/parse-server@da905a3 · GitHubPatch;Third Party Advisory
-
https://github.com/parse-community/parse-server/releases/tag/4.5.0
Release 4.5.0 · parse-community/parse-server · GitHubRelease Notes;Third Party Advisory
Jump to