CVE-2024-39309

CRITICAL

Parse Server < 6.5.7 and 7.0.0-7.1.0 - SQL Injection via PostgreSQL Configuration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-39309. PoCs published by HeavyGhost-le.

AI-analyzed exploit summary This repository contains a functional Python-based exploit for CVE-2024-39309, a PostgreSQL SQL injection vulnerability in Parse Server versions prior to 6.5.7 and 7.1.0. The exploit demonstrates database enumeration, file reading, and privilege escalation via crafted regex-based SQL injection.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.

Exploits (1)

nomisec WORKING POC 1 stars

by HeavyGhost-le · poc

https://github.com/HeavyGhost-le/POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.0

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2024-39309, a PostgreSQL SQL injection vulnerability in Parse Server versions prior to 6.5.7 and 7.1.0. The exploit demonstrates database enumeration, file reading, and privilege escalation via crafted regex-based SQL injection.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Parse Server (versions < 6.5.7 and < 7.1.0)

Auth required

Prerequisites: Valid Parse Server application ID · Access to the target Parse Server endpoint

MITRE ATT&CK