Lucene search

[email protected]NVD:CVE-2024-27298

HistoryMar 01, 2024 - 6:15 p.m.

CVE-2024-27298

2024-03-0118:15:28

CWE-89

[email protected]

web.nvd.nist.gov

parse server

sql injection

postgresql

cve-2024-27298

node.js

express

vulnerability

fixed

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

References

github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504

github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833

github.com/parse-community/parse-server/releases/tag/6.5.0

github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20

github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for NVD:CVE-2024-27298

prion1 cvelist1 veracode1 osv3 cve1 github1 ibm1