|
|
|||
| Rule General Information |
|---|
| Release Date: | 2024-12-04 | |
| Rule Name: | Jsonpath-plus Remote Code Execution Vulnerability (CVE-2024-21534) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.**Note:**There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226). | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0 https://github.com/JSONPath-Plus/JSONPath/issues/226 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019 https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884 |
|
| Solutions |
|---|
| Please refer to announcements or patches release by the vendor: https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3 |