GHSA-6hh7-46r2-vf29

Suggest an improvement
Source
https://github.com/advisories/GHSA-6hh7-46r2-vf29
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-6hh7-46r2-vf29/GHSA-6hh7-46r2-vf29.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6hh7-46r2-vf29
Aliases
Related
Published
2024-03-19T20:07:35Z
Modified
2024-03-21T08:12:34.995717Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Server crashes on invalid Cloud Function or Cloud Job name
Details

Impact

Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.

Patches

Added string sanitation for Cloud Function name and Cloud Job name.

Workarounds

Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29
  • https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha)
  • https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
Database specific 
{
    "github_reviewed_at": "2024-03-19T20:07:35Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ],
    "nvd_published_at": "2024-03-19T19:15:06Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

npm / parse-server

Package

Name
parse-server
View open source insights on deps.dev
Purl
pkg:npm/parse-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.5

npm / parse-server

Package

Name
parse-server
View open source insights on deps.dev
Purl
pkg:npm/parse-server

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0-alpha.1
Fixed
7.0.0-alpha.29