CVE-2021-39138 : Security Advisory and Response

Parse Server prior to version 4.5.1 incorrectly classifies an anonymous user session as created with a password, potentially impacting user access levels.

Understanding CVE-2021-39138

Parse Server vulnerability allowing misclassification of anonymous user sessions.

What is CVE-2021-39138?

Parse Server creates anonymous user sessions incorrectly, mislabeling them as if they were created with a password, affecting user access differentiation.

The Impact of CVE-2021-39138

The vulnerability can lead to incorrect classification of user session types, impacting access control decisions based on session creation method.

Technical Details of CVE-2021-39138

Parse Server vulnerability details.

Vulnerability Description

The issue arises when an anonymous user signs up, causing their session to be inaccurately marked as created with a password.

Affected Systems and Versions

Product: parse-server
Vendor: parse-community
Versions Affected: < 4.5.1

Exploitation Mechanism

The vulnerability occurs when developers rely on the

createdWith

field in the session class to differentiate between password and anonymous users.

Mitigation and Prevention

Addressing CVE-2021-39138.

Immediate Steps to Take

Upgrade to Parse Server version 4.5.1 or higher.
Avoid using the

createdWith

field for access control decisions if anonymous login is permitted.

Long-Term Security Practices

Regularly update Parse Server to the latest version.
Conduct security audits to detect and address any similar misclassification vulnerabilities.

Patching and Updates

Ensure timely application of patches and updates provided by Parse Server to mitigate the vulnerability.