Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.
History

Thu, 31 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Antonk52
Antonk52 lilconfig
CPEs cpe:2.3:a:antonk52:lilconfig:*:*:*:*:*:*:*:*
Vendors & Products Antonk52
Antonk52 lilconfig
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 31 Oct 2024 05:15:00 +0000

Type Values Removed Values Added
Description Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-10-31T05:00:03.948Z

Updated: 2024-10-31T13:39:14.418Z

Reserved: 2023-12-22T12:33:20.123Z

Link: CVE-2024-21537

cve-icon Vulnrichment

Updated: 2024-10-31T13:39:09.242Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-31T05:15:04.733

Modified: 2024-11-01T12:57:03.417

Link: CVE-2024-21537

cve-icon Redhat

No data.