CRITICAL 9.0
GHSA-6hh7-46r2-vf29
Server crashes on invalid Cloud Function or Cloud Job name
상세
### Impact
Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.
### Patches
Added string sanitation for Cloud Function name and Cloud Job name.
### Workarounds
Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
### References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha) - https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
npm / parse-server
최초 영향 버전:
7.0.0-alpha.1 수정 버전: 7.0.0-alpha.29 수정
npm install parse-server@7.0.0-alpha.29 참고
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-29027 [ADVISORY]
- https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b [WEB]
- https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/6.5.5 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 [WEB]