CVE-2021-41109 : Parse Server is an open source backend that can be deployed to any infrastructur

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up.

Published 2021-09-30 15:15:08

Updated 2021-10-08 03:23:12

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2021-41109

Parseplatform » Parse-server » For Node.js
Versions before (<) 4.10.4
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41109

EPSS FAQ

0.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41109

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-41109

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-41109

https://github.com/parse-community/parse-server/releases/tag/4.10.4

Release 4.10.4 · parse-community/parse-server · GitHub
Release Notes;Third Party Advisory
https://github.com/parse-community/parse-server/commit/4ac4b7f71002ed4fbedbb901db1f6ed1e9ac5559

Merge pull request from GHSA-7pr3-p5fm-8r9x · parse-community/parse-server@4ac4b7f · GitHub
Patch;Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x

LiveQuery publishes user session tokens · Advisory · parse-community/parse-server · GitHub
Mitigation;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-41109

Products affected by CVE-2021-41109

Exploit prediction scoring system (EPSS) score for CVE-2021-41109

CVSS scores for CVE-2021-41109

CWE ids for CVE-2021-41109

References for CVE-2021-41109