ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection · CVE-2024-27298 · GitHub Advisory Database · GitHub

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Critical severity GitHub Reviewed Published Mar 1, 2024 in parse-community/parse-server • Updated Mar 1, 2024

Package

parse-server (npm)

Affected versions

< 6.5.0

>= 7.0.0-alpha.1, < 7.0.0-alpha.20

Patched versions

6.5.0

7.0.0-alpha.20

Description

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

GHSA-6927-3vr9-fxf2
https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)

Credits

Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
Ehsan Persania (remediation developer)
Manuel Trezza (coordinator)

References

mtrezza published to parse-community/parse-server

Mar 1, 2024

Published by the National Vulnerability Database

Mar 1, 2024

Published to the GitHub Advisory Database Mar 1, 2024

Reviewed Mar 1, 2024

Last updated Mar 1, 2024

Severity

Critical

10.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N