SCA: security update for parse-server (GHSA-23r4-5mxp-c7g5)

medium Tenable Self-Hosted Container Security Plugin ID 408642

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Developers can use the REST API to signup users and also allow users to login anonymously. Prior to
version 4.5.1, when an anonymous user is first signed up using REST, the server creates session
incorrectly. Particularly, the `authProvider` field in `_Session` class under `createdWith` shows the user
logged in creating a password. If a developer later depends on the `createdWith` field to provide a
different level of access between a password user and anonymous user, the server incorrectly classified
the session type as being created with a `password`. The server does not currently use `createdWith` to
make decisions about internal functions, so if a developer is not using `createdWith` directly, they are
not affected. The vulnerability only affects users who depend on `createdWith` by using it directly. The
issue is patched in Parse Server version 4.5.1. As a workaround, do not use the `createdWith` Session
field to make decisions if one allows anonymous login. (CVE-2021-39138)

See Also

https://github.com/advisories/GHSA-23r4-5mxp-c7g5

Plugin Details

Severity: Medium

ID: 408642

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 6.91

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-39138

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/23/2021

Vulnerability Publication Date: 8/18/2021

Reference Information

CVE: CVE-2021-39138