Skip to content

parse-server new anonymous user session acts as if it's created with password

Moderate severity GitHub Reviewed Published Aug 18, 2021 in parse-community/parse-server • Updated Jan 27, 2023

Package

npm parse-server (npm)

Affected versions

< 4.5.2

Patched versions

4.5.2

Description

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don't use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

References

@mtrezza mtrezza published to parse-community/parse-server Aug 18, 2021
Published by the National Vulnerability Database Aug 19, 2021
Reviewed Aug 23, 2021
Published to the GitHub Advisory Database Aug 23, 2021
Last updated Jan 27, 2023

Severity

Moderate
4.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2021-39138

GHSA ID

GHSA-23r4-5mxp-c7g5

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.