GHSA-pppg-cpfq-h7wr

Suggest an improvement
Source
https://github.com/advisories/GHSA-pppg-cpfq-h7wr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pppg-cpfq-h7wr/GHSA-pppg-cpfq-h7wr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pppg-cpfq-h7wr
Aliases
Related
Published
2024-10-11T15:30:32Z
Modified
2024-11-18T18:45:56.023309Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Details

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.

Database specific
{
    "nvd_published_at": "2024-10-11T13:15:15Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T16:27:22Z"
}
References

Affected packages

npm / jsonpath-plus

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.7

Maven / org.webjars.npm:jsonpath-plus

Package

Name
org.webjars.npm:jsonpath-plus
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.npm/jsonpath-plus

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.1

Affected versions

3.*

3.0.0

4.*

4.0.0

6.*

6.0.1