CVE-2024-27298
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
Description
### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 - https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6) - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release) ### Credits - Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder) - Ehsan Persania (remediation developer) - Manuel Trezza (coordinator)
How to fix CVE-2024-27298
To remediate CVE-2024-27298, upgrade the affected package to a fixed version below.
- —upgrade to 6.5.0 or later
- —upgrade to 6.5.0 or later
Is CVE-2024-27298 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.5.0
- from 0, < 6.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |