Skip to content

Parse Server stores password in plain text

Low severity GitHub Reviewed Published Dec 2, 2020 in parse-community/parse-server • Updated Feb 1, 2023

Package

npm parse-server (npm)

Affected versions

< 4.5.0

Patched versions

4.5.0

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext.
This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

References

@davimacedo davimacedo published to parse-community/parse-server Dec 2, 2020
Reviewed Dec 28, 2020
Published to the GitHub Advisory Database Dec 28, 2020
Published by the National Vulnerability Database Dec 30, 2020
Last updated Feb 1, 2023

Severity

Low

EPSS score

0.092%
(41st percentile)

Weaknesses

CVE ID

CVE-2020-26288

GHSA ID

GHSA-4w46-w44m-3jq3

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.