#VU88224 Prototype pollution in JSONata - CVE-2024-27307


Vulnerability identifier: #VU88224

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-27307

CWE-ID: CWE-1321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JSONata
Other software / Other software solutions

Vendor: andrew-coleman

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to malicious expression can use the transform operator to override properties on the `Object` constructor and prototype.. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

JSONata: 1.4 - 2.0.3


External links
http://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8
http://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
http://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c
http://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2
http://github.com/jsonata-js/jsonata/releases/tag/v2.0.4


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability