CVE-2024-27298 – parse-server

Package

Manager: npm
Name: parse-server
Vulnerable Version: >=0 <6.5.0 || >=7.0.0-alpha.1 <7.0.0-alpha.20

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00079 pctl0.24149

Details

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection ### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 - https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6) - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release) ### Credits - Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder) - Ehsan Persania (remediation developer) - Manuel Trezza (coordinator)

Metadata

Created: 2024-03-01T20:08:23Z
Modified: 2024-03-01T20:08:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-6927-3vr9-fxf2/GHSA-6927-3vr9-fxf2.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-6927-3vr9-fxf2
Finding: F297
Auto approve: 1