Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02aGg3LTQ2cjItdmYyOc4AA6JD
Server crashes on invalid Cloud Function or Cloud Job name
Impact
Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.
Patches
Added string sanitation for Cloud Function name and Cloud Job name.
Workarounds
Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha)
- https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aGg3LTQ2cjItdmYyOc4AA6JD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-6hh7-46r2-vf29, CVE-2024-29027
References:
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29
- https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b
- https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e
- https://github.com/parse-community/parse-server/releases/tag/6.5.5
- https://nvd.nist.gov/vuln/detail/CVE-2024-29027
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29
- https://github.com/advisories/GHSA-6hh7-46r2-vf29
Blast Radius: 28.1
Affected Packages
npm:parse-server
Dependent packages: 122Dependent repositories: 1,211
Downloads: 110,213 last month
Affected Version Ranges: >= 7.0.0-alpha.1, < 7.0.0-alpha.29, < 6.5.5
Fixed in: 7.0.0-alpha.29, 6.5.5
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 4.10.19, 4.10.20, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha.10, 7.0.0-alpha.11, 7.0.0-alpha.12, 7.0.0-alpha.13, 7.0.0-alpha.14, 7.0.0-alpha.15, 7.0.0-alpha.16, 7.0.0-alpha.17, 7.0.0-alpha.18, 7.0.0-alpha.19, 7.0.0-alpha.20, 7.0.0-alpha.21, 7.0.0-alpha.22, 7.0.0-alpha.23, 7.0.0-alpha.24, 7.0.0-alpha.25, 7.0.0-alpha.26, 7.0.0-alpha.27, 7.0.0-alpha.28
All unaffected versions: 6.5.5, 7.0.0