Lucene search

GoogleOSV:BIT-PARSE-2024-27298

HistoryMar 31, 2024 - 6:25 p.m.

BIT-parse-2024-27298

2024-03-3118:25:01

Google

osv.dev

parse server

sql injection

postgresql

vulnerability fix

software

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

8.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

CPENameOperatorVersion
parsege7.0.0-alpha.1
parselt6.5.0
parselt7.0.0-alpha.20

Name	Operator	Version
parse	ge	7.0.0-alpha.1
parse	lt	6.5.0
parse	lt	7.0.0-alpha.20

References

github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504

github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833

github.com/parse-community/parse-server/releases/tag/6.5.0

github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20

github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

8.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for OSV:BIT-PARSE-2024-27298