GHSA-23r4-5mxp-c7g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-23r4-5mxp-c7g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-23r4-5mxp-c7g5/GHSA-23r4-5mxp-c7g5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-23r4-5mxp-c7g5
Aliases
Related
Published
2021-08-23T19:41:52Z
Modified
2023-12-06T01:01:25.982965Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
parse-server new anonymous user session acts as if it's created with password
Details

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don't use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

Database specific 
{
    "nvd_published_at": "2021-08-19T16:15:00Z",
    "github_reviewed_at": "2021-08-23T17:07:34Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287",
        "CWE-863"
    ]
}
References

Affected packages

npm / parse-server

Package

Name
parse-server
View open source insights on deps.dev
Purl
pkg:npm/parse-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2