Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OTI3LTN2cjktZnhmMs4AA5sK
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
Impact
This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.
Patches
The algorithm to detect SQL injection has been improved.
Workarounds
None.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2
- https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)
Credits
- Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
- Ehsan Persania (remediation developer)
- Manuel Trezza (coordinator)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OTI3LTN2cjktZnhmMs4AA5sK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-6927-3vr9-fxf2, CVE-2024-27298
References:
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2
- https://nvd.nist.gov/vuln/detail/CVE-2024-27298
- https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504
- https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833
- https://github.com/parse-community/parse-server/releases/tag/6.5.0
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
- https://github.com/advisories/GHSA-6927-3vr9-fxf2
Blast Radius: 30.8
Affected Packages
npm:parse-server
Dependent packages: 122Dependent repositories: 1,211
Downloads: 116,081 last month
Affected Version Ranges: >= 7.0.0-alpha.1, < 7.0.0-alpha.20, < 6.5.0
Fixed in: 7.0.0-alpha.20, 6.5.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 4.10.19, 4.10.20, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha.10, 7.0.0-alpha.11, 7.0.0-alpha.12, 7.0.0-alpha.13, 7.0.0-alpha.14, 7.0.0-alpha.15, 7.0.0-alpha.16, 7.0.0-alpha.17, 7.0.0-alpha.18, 7.0.0-alpha.19
All unaffected versions: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.5.11, 7.0.0, 7.1.0, 7.2.0, 7.3.0