Description
Impact
Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.
Patches
Added string sanitation for Cloud Function name and Cloud Job name.
Workarounds
Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha)
- https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
Basic information
- Type
- reviewed
- Severity
- critical
- Advisory on GitHub
- Open advisory ↗
- Repository advisory
- Open repository advisory ↗
- Source code
- Browse source ↗
- Published (advisory)
- 2024-03-19 20:07:35 UTC
- Updated
- 2024-03-19 22:15:09 UTC
- GitHub reviewed
- 2024-03-19 20:07:35 UTC
- NVD published
- 2024-03-19
EPSS Score
| Score |
Percentile |
|
1.90%
|
82.73% |
CVSS Scores
| Base score |
Version |
Severity |
Vector |
|
9.1
|
3.1 |
—
|
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Click to expand
- Attack vector (AV:N)
- Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
- Attack complexity (AC:H)
- Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
- Privileges required (PR:N)
- No account or special rights needed—anonymous or random user is enough.
- User interaction (UI:N)
- Nobody has to click “OK” or open a trap file; it can work without a victim helping.
- Scope (S:C)
- Breaking this can reach past the original component and bite other resources—bigger blast radius.
- Confidentiality (C:H)
- Serious risk that confidential data gets exposed in a big way.
- Integrity (I:H)
- They could widely tamper with or forge data—trust in the data is badly hurt.
- Availability (A:H)
- Could take the service down hard or make it unusable for people who depend on it.
|
CWEs
| CWE id |
Name |
|
CWE-20
|
Improper Input Validation |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
Credits
-
mtrezza
(finder)
-
EhsanParsania
(remediation_developer)
Affected packages (2)
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem |
Package |
Vulnerable range |
First patched |
Vulnerable functions |
| npm |
parse-server |
< 6.5.5 |
6.5.5 |
—
|
| npm |
parse-server |
>= 7.0.0-alpha.1, < 7.0.0-alpha.29 |
7.0.0-alpha.29 |
—
|
cvelogic
Threat Intelligence