https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-39309

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Jun 30, 2024

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

Summary

This vulnerability affects Parse Server installations and allows remote attackers to bypass authentication. The flaw exists within the literalizeRegexPart function, where there is a lack of proper validation of user-supplied strings used to construct SQL queries. This can lead to SQL injection attacks. The vulnerability is present in versions of Parse Server prior to 6.5.7 and 7.1.0 when configured to use the PostgreSQL database.

Impact

The impact of this vulnerability is severe, with a CVSS base score of 9.8 (Critical). Attackers can exploit this flaw to bypass authentication and potentially gain unauthorized access to the system. The vulnerability allows for SQL injection attacks, which could lead to: 1. Unauthorized data access: Attackers may be able to read sensitive information from the database. 2. Data manipulation: There's a risk of malicious alterations to the database contents. 3. Data exfiltration: Sensitive data could be extracted from the system. 4. Service disruption: The availability of the system could be compromised. The attack vector is network-based, requires no user interaction, and can be exploited without any privileges. It affects the confidentiality, integrity, and availability of the system, all rated as high impact. This could result in a complete compromise of the database and the services relying on it.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. Parse has issued an update to correct the issue in versions 6.5.7 and 7.1.0 of Parse Server, released on June 30, 2024. It is crucial to update to these versions or later as soon as possible to mitigate the risk.

Mitigation

1. Update Parse Server to version 6.5.7 or 7.1.0 or later immediately. 2. If immediate patching is not possible, implement additional security measures: - Apply strict input validation and sanitization for all database queries - Use prepared statements or parameterized queries - Apply the principle of least privilege to database users - Monitor database activity for suspicious queries 3. Conduct a thorough review of your system to ensure no unauthorized access or data manipulation has occurred. 4. Implement network segmentation to limit potential attack vectors. 5. Regularly audit and update security configurations for Parse Server and PostgreSQL database. 6. Consider temporarily disabling or restricting access to the affected Parse Server instances until patching is complete, if feasible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5000299)

Jul 1, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-39309. See article

Jul 1, 2024 at 6:42 PM / GitHub Advisory Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 1, 2024 at 6:42 PM
CVE Assignment

NVD published the first details for CVE-2024-39309

Jul 1, 2024 at 10:15 PM
Trending

This CVE started to trend in security discussions

Jul 2, 2024 at 1:08 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 15.7%)

Jul 2, 2024 at 10:01 AM
Trending

This CVE stopped trending in security discussions

Jul 4, 2024 at 10:01 PM
Static CVE Timeline Graph

Affected Systems

Parseplatform/parse-server
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-896/
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

Vendor Advisory

ZDI-24-896: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of Parse Server. Parse has issued an update to correct this vulnerability.

News

CPAI-2024-0580
The post CPAI-2024-0580 appeared first on Check Point Software .
Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability [CVE-2024-39309]
CVE number = CVE-2024-39309 CVSS score = 9.8 This vulnerability allows remote attackers to bypass authentication on affected installations of Parse Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the literalizeRegexPart function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to bypass authentication on the system. Parse has issued an update to correct this vulnerability. More details can be found at: https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r The post Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability [CVE-2024-39309] appeared first on SystemTek - Technology news and information .
US-CERT Vulnerability Summary for the Week of July 1, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of July 1, 2024
Vulnerability Summary for the Week of July 1, 2024 bjackson Jul 08, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 2code -- wpqa_builder The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks 2024-07-03 8.8 CVE-2024-2376 contact@wpscan.com ABB--ASPECT Enterprise (ASP-ENT-x) Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured. 2024-07-01 8.8 CVE-2024-4007 cybersecurity@ch.abb.com Adobe--Acrobat for Edge Acrobat for Edge versions 126.0.2592.68 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-07-02 7.8 CVE-2024-34122 psirt@adobe.com aimeos--ai-admin-graphql aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue. 2024-07-02 7.1 CVE-2024-39323 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com Apache Software Foundation--Apache HTTP Server Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-01 7.5 CVE-2024-39573 security@apache.org Arm Ltd--Valhall GPU Firmware Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Valhall GPU Firmware, Arm Ltd Arm 5th Gen GPU Architecture Firmware allows a local non-privileged user to make improper GPU processing operations to access a limited amount outside of buffer bounds.
CVE-2024-39309: prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. (3-Jul-2024)
Vulnerability details: A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. However, the application source code allows users to perform migration to a self-hosted Parse Server.
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI