SQL Injection in Parse-community Parse-server
CVE-2024-39309
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL databas…
EPSS: 0.038 (88.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Parse-community Parse-server — versions < 6.5.7, >= 7.0.0, < 7.1.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r (x_refsource_CONFIRM)
- https://github.com/parse-community/parse-server/pull/9167 (x_refsource_MISC)
- https://github.com/parse-community/parse-server/pull/9168 (x_refsource_MISC)
- https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3 (x_refsource_MISC)
- https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-39309?
- CVE-2024-39309 is a critical-severity vulnerability in Parse-community Parse-server, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 9.8/10. Published 2024-07-01.
- How severe is CVE-2024-39309?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2024-39309 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.