Security Advisory: Injection Vulnerability in Parse Server Prior to Versions 6.5.5 and 7.0.0-alpha.29
CVE-2024-29027

9.1CRITICAL

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
19 March 2024

What is CVE-2024-29027?

Parse Server, an open-source backend platform compatible with Node.js, has a vulnerability that allows an attacker to crash the server by calling an invalid Cloud Function or Cloud Job name. This issue, present in releases earlier than versions 6.5.5 and 7.0.0-alpha.29, poses risks including code injection and unauthorized manipulation of the internal store, potentially leading to remote execution of malicious code. The recent patches introduced in versions 6.5.5 and 7.0.0-alpha.29 include string sanitation measures designed to prevent such attacks. It is advised that users sanitize Cloud Function names and Job names before processing them in Parse Server to mitigate the threat effectively.

Affected Version(s)

parse-server < 6.5.5 < 6.5.5

parse-server >= 7.0.0-alpha.1, < 7.0.0-alpha.29 < 7.0.0-alpha.1, 7.0.0-alpha.29

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/commit/5a...
x_refsource_MISC
https://github.com/parse-community/parse-server/commit/9f...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.