CVE-2024-29027
CRITICALDescription
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
Is your site exposed to CVE-2024-29027?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
| parseplatform | parse-server |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2024-29027? +
How severe is CVE-2024-29027? +
What products are affected by CVE-2024-29027? +
How do I check if I'm vulnerable to CVE-2024-29027? +
Related Vulnerabilities
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated …
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches …
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote …
Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated …
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.
Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN client, which can induce unexpected behaviour when accessing third-party web …