CVE-2024-27298
Parse Server literalizeRegexPart SQL Injection
Severity Score
10.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Parse Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the literalizeRegexPart function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
*Credits:
Mikhail Shcherbakov (https://twitter.com/yu5k3)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-02-22 CVE Reserved
- 2024-03-01 CVE Published
- 2024-03-02 EPSS Updated
- 2024-08-22 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504 | X_refsource_misc | |
| https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833 | X_refsource_misc | |
| https://github.com/parse-community/parse-server/releases/tag/6.5.0 | X_refsource_misc | |
| https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 | X_refsource_misc | |
| https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Parse-community Search vendor "Parse-community" | Parse-server Search vendor "Parse-community" for product "Parse-server" | < 6.5.0 Search vendor "Parse-community" for product "Parse-server" and version " < 6.5.0" | en |
Affected
| ||||||
| Parse-community Search vendor "Parse-community" | Parse-server Search vendor "Parse-community" for product "Parse-server" | 7.0.0 Search vendor "Parse-community" for product "Parse-server" and version "7.0.0" | en |
Affected
| ||||||