Overview
- Description
- Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
- Source
- report@snyk.io
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Social media
- Hype score
- Not currently trending
CVE-2024-21534 - Command Injection in JSONPath Plus versions < 10.0.7 Root cause: Improper sanitization of user-supplied JSONPath expressions, allowing arbitrary code execution via Node.js's vm module. Reference: https://t.co/hMG5EckcFb https://t.co/w24vw6PiK9
@win3zz
14 Nov 2024
3231 Impressions
16 Retweets
77 Likes
33 Bookmarks
0 Replies
0 Quotes
🧟♂️ Villain of the Week 🧟♂️ CVE-2024-21534 affects all versions of the jsonpath-plus package prior to 10.0.0, which are vulnerable to Remote Code Execution. With a CVSS score of 9.8, this vulnerability is rated as Critical, posing a severe risk to your system's confidential
@vicariusltd
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes