{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21534", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.123Z", "datePublished": "2024-10-11T05:00:01.824Z", "dateUpdated": "2024-11-18T10:37:45.634Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"}}], "credits": [{"value": "Andrea Angelo Raineri", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Remote Code Execution (RCE)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-11-18T10:37:45.634Z"}, "descriptions": [{"value": "All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019"}, {"url": "https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0"}, {"url": "https://github.com/JSONPath-Plus/JSONPath/issues/226"}], "affected": [{"product": "jsonpath-plus", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "org.webjars.npm:jsonpath-plus", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "jsonpath-plus", "product": "jsonpath", "cpes": ["cpe:2.3:a:jsonpath-plus:jsonpath:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.0.7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T14:23:05.262400Z", "id": "CVE-2024-21534", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T19:13:34.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21534", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-11T14:23:05.262400Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jsonpath-plus:jsonpath:*:*:*:*:*:*:*:*"], "vendor": "jsonpath-plus", "product": "jsonpath", "versions": [{"status": "affected", "version": "0", "lessThan": "10.0.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T14:48:12.431Z"}}], "cna": {"credits": [{"lang": "en", "value": "Andrea Angelo Raineri"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "jsonpath-plus", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}, {"vendor": "n/a", "product": "org.webjars.npm:jsonpath-plus", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019"}, {"url": "https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0"}, {"url": "https://github.com/JSONPath-Plus/JSONPath/issues/226"}], "descriptions": [{"lang": "en", "value": "All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226)."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "Remote Code Execution (RCE)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-11-18T10:37:45.634Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21534", "state": "PUBLISHED", "dateUpdated": "2024-11-18T10:37:45.634Z", "dateReserved": "2023-12-22T12:33:20.123Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-10-11T05:00:01.824Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226)."}, {"lang": "es", "value": "Las versiones del paquete jsonpath-plus anteriores a la 10.0.0 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo (RCE) debido a una desinfecci\u00f3n de entrada incorrecta. Un atacante puede ejecutar c\u00f3digo arbitrario en el sistema aprovechando el uso inseguro predeterminado de vm en Node. **Nota:** El comportamiento inseguro sigue estando disponible despu\u00e9s de aplicar la correcci\u00f3n, pero no est\u00e1 activado de forma predeterminada."}], "id": "CVE-2024-21534", "lastModified": "2024-11-18T11:15:06.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-10-11T13:15:15.667", "references": [{"source": "report@snyk.io", "url": "https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0"}, {"source": "report@snyk.io", "url": "https://github.com/JSONPath-Plus/JSONPath/issues/226"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10236", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "impact": "low", "package": "devspaces/code-rhel8:3.17-19", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10236", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "impact": "low", "package": "devspaces/dashboard-rhel8:3.17-25", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-11-25T00:00:00Z"}], "bugzilla": {"description": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "id": "2317968", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317968"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\n**Note:**\nThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", "A flaw was found in jsonpath-plus. This vulnerability allows remote code execution via improper input sanitisation and unsafe default usage of the vm module in Node.js. Attackers can exploit this by executing arbitrary code through the unsafe use of the vm module in Node.js, which allows for malicious code injection. This issue occurs due to the way jsonpath-plus evaluates JSON paths using vm, a Node.js module that allows code execution. If user input is not properly sanitized, an attacker can craft JSON paths that execute dangerous commands, such as reading sensitive files."], "mitigation": {"lang": "en:us", "value": "Red Hat Product Security recommends updating the vulnerable software to the latest version."}, "name": "CVE-2024-21534", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "impact": "low", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}], "public_date": "2024-10-11T05:00:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21534\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21534\nhttps://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3\nhttps://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884"], "statement": "The vulnerability has been addressed, however, it is important to note that the unsafe behavior is still present but is no longer enabled by default. Developers using older versions or relying on this unsafe behavior could still be at risk.", "threat_severity": "Critical"}