Fluid Attacks Database

Description

JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.webjars.npm:jsonpath-plus	>=0 <=6.0.1	10.3.0
npm	jsonpath-plus	>=0 <10.2.0	10.2.0

Aliases

1. CVE-2024-215342. NVD-2024-215343. OSV-2024-215344. GCVE-2024-21534

References

1. https://github.com/JSONPath-Plus/JSONPath/issues/2262. https://github.com/JSONPath-Plus/JSONPath/issues/226#issuecomment-24242303163. https://github.com/JSONPath-Plus/JSONPath/pull/2334. https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd35. https://github.com/JSONPath-Plus/JSONPath/commit/73ad72e5ee788d8287dea6e8283a3f16f63c9eb86. https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd727. https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.08. https://github.com/pabloopez/CVE-2024-21534

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.