Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Parse Server SQL注入漏洞
Vulnerability Description
Parse Server是Parse Platform开源的一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 8.6.59之前版本和9.6.0-alpha.53之前版本存在SQL注入漏洞,该漏洞源于攻击者可将SQL元字符注入字段名参数,可能导致SQL注入攻击和权限提升。
CVSS Information
N/A
Vulnerability Type
N/A