CVE-2024-29027
CRITICAL9.0EPSS 1.9%Server crashes on invalid Cloud Function or Cloud Job name
Published: 3/19/2024Modified: 3/21/2024
Description
### Impact Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection. ### Patches Added string sanitation for Cloud Function name and Cloud Job name. ### Workarounds Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha) - https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
Affected packages (2)
- Bitnami/parsefrom 0, < 6.5.5
- npm/parse-serverfrom 0, < 6.5.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29027
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b
- WEBhttps://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e
- WEBhttps://github.com/parse-community/parse-server/releases/tag/6.5.5
- WEBhttps://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29