Plateforme
nodejs
Composant
parse-server
Corrigé dans
6.5.1
7.0.1
CVE-2024-27298 is a critical SQL injection vulnerability discovered in Parse Server, a Node.js/Express-based Parse backend. This flaw allows attackers to inject malicious SQL code when Parse Server is configured to use a PostgreSQL database, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions less than or equal to 6.5.0 and versions prior to 7.0.0-alpha.20. A fix has been released in versions 6.5.0 and 7.0.0-alpha.20.
Successful exploitation of CVE-2024-27298 could grant an attacker complete control over the underlying PostgreSQL database. This includes the ability to read, modify, or delete any data stored within the database, such as user credentials, application data, and configuration settings. Depending on the application's functionality, this could lead to a complete compromise of the Parse Server instance and any applications relying on it. The blast radius extends to all users and data associated with the affected Parse Server deployment. The SQL injection vulnerability bypasses standard input validation, allowing attackers to craft malicious queries directly impacting the database.
CVE-2024-27298 was publicly disclosed on March 1, 2024. No known active exploitation campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge given the severity and ease of exploitation of SQL injection vulnerabilities.
Organizations and developers utilizing Parse Server for backend services, particularly those relying on PostgreSQL databases, are at risk. Shared hosting environments where Parse Server instances are deployed alongside other applications are especially vulnerable, as a compromised Parse Server could potentially impact other tenants on the same server.
• nodejs / server:
ps aux | grep parse-serverCheck the version of Parse Server running. If it's less than 6.5.0 or prior to 7.0.0-alpha.20, it's vulnerable. • linux / server:
journalctl -u parse-server -f | grep "SQL injection"Monitor Parse Server logs for any suspicious SQL injection attempts. • database (postgresql):
SELECT version();Verify the PostgreSQL version is compatible with the Parse Server version. Incompatible versions can exacerbate vulnerabilities.
disclosure
Statut de l'Exploit
EPSS
0.31% (percentile 54%)
Vecteur CVSS
The primary mitigation for CVE-2024-27298 is to immediately upgrade Parse Server to version 6.5.0 or 7.0.0-alpha.20 or later. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing stricter input validation and sanitization on all user-supplied data before it is used in SQL queries. While not a complete solution, using parameterized queries or prepared statements can help prevent SQL injection attacks. Review and audit existing SQL queries for potential vulnerabilities. After upgrading, verify the fix by attempting a SQL injection attack on a non-critical endpoint to ensure the vulnerability is no longer exploitable.
Actualice Parse Server a la versión 6.5.0 o superior, o a la versión 7.0.0-alpha.20 o superior. Esto corrige la vulnerabilidad de inyección SQL. Asegúrese de realizar pruebas exhaustivas después de la actualización para verificar que la aplicación funcione correctamente.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-27298 is a critical SQL injection vulnerability affecting Parse Server versions less than or equal to 6.5.0 and versions prior to 7.0.0-alpha.20, allowing attackers to potentially extract sensitive data.
Yes, if you are running Parse Server versions ≤ 6.5.0 or < 7.0.0-alpha.20 and using a PostgreSQL database, you are vulnerable to this SQL injection flaw.
Upgrade Parse Server to version 6.5.0 or 7.0.0-alpha.20 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
No active exploitation campaigns have been reported at this time, but public proof-of-concept exploits are likely to emerge.
Refer to the official Parse Server security advisory for detailed information and updates: [https://github.com/parse/parse-server/security/advisories/GHSA-9g4x-639x-4p7w](https://github.com/parse/parse-server/security/advisories/GHSA-9g4x-639x-4p7w)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.