#VU100117 Input validation error in JSONPath - CVE-2024-21534
Published: November 8, 2024 / Updated: November 29, 2024
Vulnerability identifier: #VU100117
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2024-21534
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
JSONPath
JSONPath
Software vendor:
JSONPath-Plus
JSONPath-Plus
Description
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can exploit the unsafe default usage of vm in Node and execute arbitrary code on the system.
Remediation
Install updates from vendor's website.
External links
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
- https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
- https://github.com/JSONPath-Plus/JSONPath/issues/226
- https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72