CVE-2024-27298 - Vulnerability Details - OpenCVE

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Parse Community	Parse Server

No data.

No data.

References

Link	Providers
https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504
https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833
https://github.com/parse-community/parse-server/releases/tag/6.5.0
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-01T17:48:52.919Z

Updated: 2024-08-22T18:28:04.258Z

Reserved: 2024-02-22T18:08:38.875Z

Link: CVE-2024-27298

Vulnrichment

Updated: 2024-08-02T00:27:59.923Z

NVD

Status : Awaiting Analysis

Published: 2024-03-01T18:15:28.913

Modified: 2024-11-21T09:04:16.450

Link: CVE-2024-27298

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27298", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-22T18:08:38.875Z", "datePublished": "2024-03-01T17:48:52.919Z", "dateUpdated": "2024-08-22T18:28:04.258Z"}, "containers": {"cna": {"title": "Parse Server literalizeRegexPart SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 6.5.0", "status": "affected"}, {"version": ">= 7.0.0-alpha.1, < 7.0.0-alpha.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-01T17:48:52.919Z"}, "descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}], "source": {"advisory": "GHSA-6927-3vr9-fxf2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.923Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}]}, {"affected": [{"vendor": "parseplatform", "product": "parse-server", "cpes": ["cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.5.0", "versionType": "custom"}, {"version": "7.0.0-alpha.1", "status": "affected", "lessThan": "7.0.0-alpha.20", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-05T15:39:53.508702Z", "id": "CVE-2024-27298", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:28:04.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.923Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27298", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T15:39:53.508702Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"], "vendor": "parseplatform", "product": "parse-server", "versions": [{"status": "affected", "version": "0", "lessThan": "6.5.0", "versionType": "custom"}, {"status": "affected", "version": "7.0.0-alpha.1", "lessThan": "7.0.0-alpha.20", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:27:16.230Z"}}], "cna": {"title": "Parse Server literalizeRegexPart SQL Injection", "source": {"advisory": "GHSA-6927-3vr9-fxf2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 6.5.0"}, {"status": "affected", "version": ">= 7.0.0-alpha.1, < 7.0.0-alpha.20"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-01T17:48:52.919Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27298", "state": "PUBLISHED", "dateUpdated": "2024-08-22T18:28:04.258Z", "dateReserved": "2024-02-22T18:08:38.875Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-01T17:48:52.919Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}, {"lang": "es", "value": "parse-server es un servidor Parse para Node.js/Express. Esta vulnerabilidad permite la inyecci\u00f3n de SQL cuando Parse Server est\u00e1 configurado para utilizar la base de datos PostgreSQL. La vulnerabilidad se solucion\u00f3 en 6.5.0 y 7.0.0-alpha.20. "}], "id": "CVE-2024-27298", "lastModified": "2024-11-21T09:04:16.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-01T18:15:28.913", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}