// For flags

CVE-2021-39138

New anonymous user session acts as if it's created with password

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the `authProvider` field in `_Session` class under `createdWith` shows the user logged in creating a password. If a developer later depends on the `createdWith` field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a `password`. The server does not currently use `createdWith` to make decisions about internal functions, so if a developer is not using `createdWith` directly, they are not affected. The vulnerability only affects users who depend on `createdWith` by using it directly. The issue is patched in Parse Server version 4.5.1. As a workaround, do not use the `createdWith` Session field to make decisions if one allows anonymous login.

Parse Server es un backend de código abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Los desarrolladores pueden usar la API REST para registrar usuarios y también permitir a usuarios registrarse anónimamente. Versiones anteriores a 4.5.1, cuando un usuario anónimo es registrado por primera vez usando REST, el servidor creaba la sesión incorrectamente. En particular, el campo "authProvider" de la clase "_Session" en "createdWith" muestra que el usuario se ha registrado creando una contraseña. Si un desarrollador depende posteriormente del campo "createdWith" para proporcionar un nivel de acceso diferente entre un usuario con contraseña y un usuario anónimo, el servidor clasifica incorrectamente el tipo de sesión como creada con un "password". El servidor no usa actualmente "createdWith" para tomar decisiones sobre las funciones internas, por lo que si un desarrollador no está usando "createdWith" directamente, no está afectado. La vulnerabilidad sólo afecta a usuarios que dependen de "createdWith" al usarlo directamente. El problema está parcheado en Parse Server versión 4.5.1. Como solución, no use el campo de sesión "createdWith" para tomar decisiones si se permite el acceso anónimo.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-08-18 CVE Published
  • 2024-05-03 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Parseplatform
Search vendor "Parseplatform"
 Parse-server
Search vendor "Parseplatform" for product "Parse-server"
 < 4.5.1
Search vendor "Parseplatform" for product "Parse-server" and version " < 4.5.1"
node.js
Affected