Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIzcjQtNW14cC1jN2c1

parse-server new anonymous user session acts as if it's created with password

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don't use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

Permalink: https://github.com/advisories/GHSA-23r4-5mxp-c7g5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIzcjQtNW14cC1jN2c1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-23r4-5mxp-c7g5, CVE-2021-39138
References: Repository: https://github.com/parse-community/parse-server
Blast Radius: 14.8

Affected Packages

npm:parse-server
Dependent packages: 122
Dependent repositories: 1,211
Downloads: 107,678 last month
Affected Version Ranges: < 4.5.2
Fixed in: 4.5.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1
All unaffected versions: 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 4.10.19, 4.10.20, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 7.0.0