CVE-2024-29027

19.03.2024, 19:15

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
GitHub_M	CNA	9.1 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 82%

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 6.5.5
parseplatform	parse-server	7.0.0:alpha1
parseplatform	parse-server	7.0.0:alpha10
parseplatform	parse-server	7.0.0:alpha11
parseplatform	parse-server	7.0.0:alpha12
parseplatform	parse-server	7.0.0:alpha13
parseplatform	parse-server	7.0.0:alpha14
parseplatform	parse-server	7.0.0:alpha15
parseplatform	parse-server	7.0.0:alpha16
parseplatform	parse-server	7.0.0:alpha17
parseplatform	parse-server	7.0.0:alpha18
parseplatform	parse-server	7.0.0:alpha19
parseplatform	parse-server	7.0.0:alpha2
parseplatform	parse-server	7.0.0:alpha20
parseplatform	parse-server	7.0.0:alpha21
parseplatform	parse-server	7.0.0:alpha22
parseplatform	parse-server	7.0.0:alpha23
parseplatform	parse-server	7.0.0:alpha24
parseplatform	parse-server	7.0.0:alpha25
parseplatform	parse-server	7.0.0:alpha26
parseplatform	parse-server	7.0.0:alpha27
parseplatform	parse-server	7.0.0:alpha28
parseplatform	parse-server	7.0.0:alpha3
parseplatform	parse-server	7.0.0:alpha4
parseplatform	parse-server	7.0.0:alpha5
parseplatform	parse-server	7.0.0:alpha6
parseplatform	parse-server	7.0.0:alpha7
parseplatform	parse-server	7.0.0:alpha8
parseplatform	parse-server	7.0.0:alpha9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b

https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e

https://github.com/parse-community/parse-server/releases/tag/6.5.5

https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29

https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29

https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b

https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e

https://github.com/parse-community/parse-server/releases/tag/6.5.5

https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29

https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29