Description

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

INFO

Published Date :

2024-10-11T05:00:01.824Z

Last Modified :

2024-11-18T10:37:45.634Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2024-21534 vulnerability.

Vendors Products
Jsonpath-plus
  • Jsonpath
Redhat
  • Openshift Devspaces
  • Rhdh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-21534.

URL Resource
https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3 cve-icon
https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0 cve-icon cve-icon
https://github.com/JSONPath-Plus/JSONPath/issues/226 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-21534 cve-icon
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-21534 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact