ghsa-23r4-5mxp-c7g5
Vulnerability from github
Impact
Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.
The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.
Patches
Upgrade to version 4.5.1.
Workarounds
Don't use the createdWith Session field to make decisions if you allow anonymous login.
References
n/a
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39138"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T17:07:34Z",
"nvd_published_at": "2021-08-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nDevelopers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the `authProvider` field in `_Session` class under `createdWith` shows the user logged in creating a password. If a developer later depends on the `createdWith` field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a `password`.\n\nThe server currently doesn\u0027t use `createdWith` to make decisions on how things work internally, so if a developer isn\u0027t using `createdWith` directly, there\u0027s nothing to worry about. The vulnerability only affects users who depend on `createdWith` by using it directly. \n\n### Patches\nUpgrade to version 4.5.1.\n\n### Workarounds\nDon\u0027t use the `createdWith` Session field to make decisions if you allow anonymous login.\n\n### References\nn/a",
"id": "GHSA-23r4-5mxp-c7g5",
"modified": "2022-08-15T20:04:54Z",
"published": "2021-08-23T19:41:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39138"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/147bd9a3dc43391e92c36e05d5db860b04ca27db"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "parse-server new anonymous user session acts as if it\u0027s created with password"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.