https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
This vulnerability affects Parse Server installations and allows remote attackers to bypass authentication. The flaw exists within the literalizeRegexPart function, where there is a lack of proper validation of user-supplied strings used to construct SQL queries. This can lead to SQL injection attacks. The vulnerability is present in versions of Parse Server prior to 6.5.7 and 7.1.0 when configured to use the PostgreSQL database.
The impact of this vulnerability is severe, with a CVSS base score of 9.8 (Critical). Attackers can exploit this flaw to bypass authentication and potentially gain unauthorized access to the system. The vulnerability allows for SQL injection attacks, which could lead to: 1. Unauthorized data access: Attackers may be able to read sensitive information from the database. 2. Data manipulation: There's a risk of malicious alterations to the database contents. 3. Data exfiltration: Sensitive data could be extracted from the system. 4. Service disruption: The availability of the system could be compromised. The attack vector is network-based, requires no user interaction, and can be exploited without any privileges. It affects the confidentiality, integrity, and availability of the system, all rated as high impact. This could result in a complete compromise of the database and the services relying on it.
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
A patch is available for this vulnerability. Parse has issued an update to correct the issue in versions 6.5.7 and 7.1.0 of Parse Server, released on June 30, 2024. It is crucial to update to these versions or later as soon as possible to mitigate the risk.
1. Update Parse Server to version 6.5.7 or 7.1.0 or later immediately. 2. If immediate patching is not possible, implement additional security measures: - Apply strict input validation and sanitization for all database queries - Use prepared statements or parameterized queries - Apply the principle of least privilege to database users - Monitor database activity for suspicious queries 3. Conduct a thorough review of your system to ensure no unauthorized access or data manipulation has occurred. 4. Implement network segmentation to limit potential attack vectors. 5. Regularly audit and update security configurations for Parse Server and PostgreSQL database. 6. Consider temporarily disabling or restricting access to the affected Parse Server instances until patching is complete, if feasible.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Detection for the vulnerability has been added to Qualys (5000299)
Feedly found the first article mentioning CVE-2024-39309. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-39309
This CVE started to trend in security discussions
EPSS Score was set to: 0.05% (Percentile: 15.7%)
This CVE stopped trending in security discussions