Vulnerabilities

 1 via 1 paths

Dependencies

 373

Source

 GitHub

Commit

 220852ed

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

critical severity
new

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: parse-server
  • Introduced through: parse-server@9.2.0

Detailed paths

  • Introduced through: parse-server-example@parse-community/parse-server-example#220852edce10892435e0388e78fcb0da3f1849e6 parse-server@9.2.0
    Remediation: Upgrade to parse-server@9.3.1.

Overview

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the Google authentication. An attacker can gain unauthorized access to any user account linked with Google authentication by forging a JWT token with alg set to "none". This is only exploitable if Google authentication is enabled.

Workaround

This vulnerability can be mitigated by disabling Google authentication until upgrading is possible.

Remediation

Upgrade parse-server to version 8.6.3, 9.3.1-alpha.4 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity

MPL-2.0 license

  • Module: web-push
  • Introduced through: parse-server@9.2.0

Detailed paths

  • Introduced through: parse-server-example@parse-community/parse-server-example#220852edce10892435e0388e78fcb0da3f1849e6 parse-server@9.2.0 @parse/push-adapter@8.2.0 web-push@3.6.7

MPL-2.0 license

MPL-2.0 license vulnerability report