GHSA-c2hr-cqg6-8j6r

Source

https://github.com/advisories/GHSA-c2hr-cqg6-8j6r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c2hr-cqg6-8j6r/GHSA-c2hr-cqg6-8j6r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c2hr-cqg6-8j6r

Aliases

Published

2024-07-01T18:35:04Z

Modified

2024-07-03T08:12:27.108570Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Details

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r
https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7)
https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6)

Credits

Smile Thanapattheerakul of Trend Micro (finder)
Manuel Trezza (coordinator)

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-288"
    ],
    "github_reviewed_at": "2024-07-01T18:35:04Z",
    "nvd_published_at": "2024-07-01T22:15:03Z",
    "severity": "CRITICAL"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.7