Parse Server PostgreSQL SQL Injection via Dot-Notation Sub-key
Parse Server's PostgreSQL adapter fails to escape sub-key names in Increment operations, allowing SQL injection. The PoC highlights the need for immediate patching to prevent database compromise.
CVE References
Affected
The vulnerability arises from unescaped sub-key names in Increment operations, enabling SQL injection. Attackers can inject arbitrary commands by crafting keys with quotes or other special characters.
The PoC demonstrates that maliciously crafted sub-keys can execute unauthorized SQL commands, bypassing security measures like CLPs and ACLs. It underscores the critical need for immediate patching to prevent exploitation.
{'signatures': ['Monitor for requests with keys containing single quotes or other SQL injection vectors'], 'log_indicators': ['Look for unusual database queries in logs that suggest unauthorized access attempts']}
{'patches': ['Update to Parse Server versions 9.6.0-alpha.5 or 8.6.31 which escape sub-key names'], 'workarounds': ['No known workarounds; patching is the only solution']}
{'likelihood': 'high', 'threat_interest': 'High interest from attackers due to potential data breaches'}
Sources