CVE-2024-29027
CRITICAL9.0EPSS 1.9%Server crashes on invalid Cloud Function or Cloud Job name
發布日:2024/3/19修改日:2024/3/21
描述
### Impact Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection. ### Patches Added string sanitation for Cloud Function name and Cloud Job name. ### Workarounds Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha) - https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
受影響套件(2)
- Bitnami/parsefrom 0, < 6.5.5
- npm/parse-serverfrom 0, < 6.5.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29027
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b
- WEBhttps://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e
- WEBhttps://github.com/parse-community/parse-server/releases/tag/6.5.5
- WEBhttps://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29