GHSA-6927-3vr9-fxf2

Source

https://github.com/advisories/GHSA-6927-3vr9-fxf2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-6927-3vr9-fxf2/GHSA-6927-3vr9-fxf2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6927-3vr9-fxf2

Aliases

Published

2024-03-01T20:08:23Z

Modified

2024-04-01T07:26:48.328999Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Details

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2
https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)

Credits

Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
Ehsan Persania (remediation developer)
Manuel Trezza (coordinator)

Database specific

{
    "nvd_published_at": "2024-03-01T18:15:28Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T20:08:23Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.0