{
  "threat_severity" : "Low",
  "public_date" : "2024-10-11T05:00:01Z",
  "bugzilla" : {
    "description" : "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization",
    "id" : "2317968",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2317968"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\n**Note:**\nThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", "A flaw was found in jsonpath-plus. This vulnerability allows remote code execution via improper input sanitisation and unsafe default usage of the vm module in Node.js. Attackers can exploit this by executing arbitrary code through the unsafe use of the vm module in Node.js, which allows for malicious code injection. This issue occurs due to the way jsonpath-plus evaluates JSON paths using vm, a Node.js module that allows code execution. If user input is not properly sanitized, an attacker can craft JSON paths that execute dangerous commands, such as reading sensitive files." ],
  "statement" : "Red Hat's initial impact rating of critical has been downgraded to low. While the vulnerable code is technically still present within Red Hat products, there are no code paths in affected products which allow exploitation. As such, the impact to Red Hat products is low.\nEach of the products listed have multiple components where a fixed build could occur. This distinction does not matter for users as only one build needs fixed for the product. Additionally, in Red Hat OpenShift AI, jsonpath-plus is a dependency of a direct dependency and is never loaded, as the direct dependency's feature that requires jsonpath-plus is not used.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10236",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8",
    "package" : "devspaces/code-rhel8:3.17-19"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10236",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8",
    "package" : "devspaces/dashboard-rhel8:3.17-25"
  }, {
    "product_name" : "Red Hat Developer Hub 1.6",
    "release_date" : "2025-05-14T00:00:00Z",
    "advisory" : "RHSA-2025:7626",
    "cpe" : "cpe:/a:redhat:rhdh:1.6::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:b6bf7ded5e146f60141840bb2e42e72125c61af0f3d3c3fbf48b35bc670675fe"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Not affected",
    "package_name" : "rhdh/rhdh-rhel9-operator",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "odh-dashboard-container",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "odh-operator-container",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhods/odh-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Not affected",
    "package_name" : "rhods/odh-operator-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Not affected",
    "package_name" : "rhods/odh-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-21534\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21534\nhttps://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3\nhttps://github.com/JSONPath-Plus/JSONPath/issues/226\nhttps://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884" ],
  "name" : "CVE-2024-21534",
  "mitigation" : {
    "value" : "Red Hat Product Security recommends updating the vulnerable software to the latest version.",
    "lang" : "en:us"
  },
  "csaw" : false
}