← voltar
CVE-2024-39309

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

CVSS 9.8 CRITICALEPSS 20.2%CWE-288CWE-89
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
parse-community · parse-server
PoCs públicas encontradas1
githubgithub.com/HeavyGhost-le/POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.01
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5bhttps://github.com/parse-community/parse-server/pull/9167https://github.com/parse-community/parse-server/pull/9168https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r