Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wcHBnLWNwZnEtaDd3cs4ABAM3

JSONPath Plus Remote Code Execution (RCE) Vulnerability

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.

Permalink: https://github.com/advisories/GHSA-pppg-cpfq-h7wr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcHBnLWNwZnEtaDd3cs4ABAM3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: 3 days ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-pppg-cpfq-h7wr, CVE-2024-21534
References:

Repository: https://github.com/JSONPath-Plus/JSONPath
Blast Radius: 42.8

Affected Packages

maven:org.webjars.npm:jsonpath-plus

Dependent packages: 6
Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 6.0.1
No known fixed version
All affected versions: 3.0.0, 4.0.0, 6.0.1

npm:jsonpath-plus

Dependent packages: 544
Dependent repositories: 23,144
Downloads: 19,611,355 last month
Affected Version Ranges: < 10.0.7
Fixed in: 10.0.7
All affected versions: 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.1, 1.0.0, 1.1.0, 2.0.0, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 6.0.0, 6.0.1, 7.0.0, 7.1.0, 7.2.0, 8.0.0, 8.1.0, 9.0.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6
All unaffected versions: 10.0.7, 10.1.0, 10.2.0