Описание
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
Note:
This is caused by an incomplete fix for CVE-2024-21534.
Ссылки
EPSS
Процентиль: 99%
0.86146
Высокий
9.8 Critical
CVSS3
Дефекты
CWE-94
Связанные уязвимости
CVSS3: 9.8
redhat
11 месяцев назад
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
EPSS
Процентиль: 99%
0.86146
Высокий
9.8 Critical
CVSS3
Дефекты
CWE-94