CVE-2024-21534

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-21534

Severity

9.8

Critical

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21534
https://github.com/advisories/GHSA-pppg-cpfq-h7wr
https://github.com/JSONPath-Plus/JSONPath/issues/226
https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-21534

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company