CVE-2024-21534

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21534
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
https://github.com/JSONPath-Plus/JSONPath/issues/226
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Configurations

No configuration.

History

18 Nov 2024, 11:15

Type Values Removed Values Added
Summary (en) Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226). (en) All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
References
  • {'url': 'https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3', 'source': 'report@snyk.io'}
  • {'url': 'https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72', 'source': 'report@snyk.io'}
  • () https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0 -

20 Oct 2024, 12:15

Type Values Removed Values Added
Summary (en) Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** The unsafe behavior is still available after applying the fix but it is not turned on by default. (en) Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
References
  • () https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72 -
  • () https://github.com/JSONPath-Plus/JSONPath/issues/226 -

16 Oct 2024, 09:15

Type Values Removed Values Added
References
  • () https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019 -

15 Oct 2024, 12:58

Type Values Removed Values Added
Summary
  • (es) Las versiones del paquete jsonpath-plus anteriores a la 10.0.0 son vulnerables a la ejecución remota de código (RCE) debido a una desinfección de entrada incorrecta. Un atacante puede ejecutar código arbitrario en el sistema aprovechando el uso inseguro predeterminado de vm en Node. **Nota:** El comportamiento inseguro sigue estando disponible después de aplicar la corrección, pero no está activado de forma predeterminada.

11 Oct 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-11 13:15

Updated : 2024-11-18 11:15

NVD link : CVE-2024-21534

Mitre link : CVE-2024-21534

CVE.ORG link : CVE-2024-21534

JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024