CVE-2020-26288 — Parse Server stores password in plain text

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

How to fix CVE-2020-26288

To remediate CVE-2020-26288, upgrade the affected package to a fixed version below.

—upgrade to 4.5.0 or later
—upgrade to 4.5.0 or later

Is CVE-2020-26288 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.5.0
from 0, < 4.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26288
WEBgithub.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a
WEBgithub.com/parse-community/parse-server/releases/tag/4.5.0
WEBgithub.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3