← Volver a CVEs

CVE-2024-21534

CRITICAL

9.8

Descripcion

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado10/11/2024

Ultima modificacion11/18/2024

Fuentenvd

Avistamientos honeypot0

Debilidades (CWE)

CWE-94CWE-94

Referencias

https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0(report@snyk.io)

https://github.com/JSONPath-Plus/JSONPath/issues/226(report@snyk.io)

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019(report@snyk.io)

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884(report@snyk.io)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.