parse-server new anonymous user session acts as if it's created with password

Severity:: Medium

Description

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): < 4.5.2
Patched version(s): 4.5.2

References

GHSA-23r4-5mxp-c7g5
CVE-2021-39138
CWE-287
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
Parse Server stores password in plain text - CVE-2020-26288
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on January 27, 2023