9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21534

CVE-2024-21534: JSONPath Plus Remote Code Execution (RCE) Vulnerability

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-21534

CVE-2024-21534:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.webjars.npm:jsonpath-plus	maven	<= 6.0.1
jsonpath-plus	npm	< 10.2.0	10.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stemmed from JSONPath's _eval function using Node.js' vm module without proper sandboxing. The SafeScript implementation (meant to fix this) initially had insufficient property access controls in evalMemberExpression, allowing bypasses via constructor/prototype properties. The commit diffs show these functions were modified to add security checks like blocking 'constructor' access and using Object.hasOwn for property checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-21534: JSONPath Plus Remote Code Execution (RCE) Vulnerability

CVE-2024-21534:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

9.8

9.8

Technical Details

CVE-2024-21534: JSONPath Plus Remote Code Execution (RCE) Vulnerability

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-21534: JSONPath Plus Remote Code Execution (RCE) Vulnerability

CVE-2024-21534:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

9.8

9.8

Technical Details

CVE-2024-21534: JSONPath Plus Remote Code Execution (RCE) Vulnerability

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI