{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"critical"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-21534","title":"Title"},{"category":"description","text":"All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-21534","url":"https://www.suse.com/security/cve/CVE-2024-21534"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1231547 for CVE-2024-21534","url":"https://bugzilla.suse.com/1231547"}],"title":"SUSE CVE CVE-2024-21534","tracking":{"current_release_date":"2025-02-16T05:22:48Z","generator":{"date":"2024-10-12T03:03:09Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-21534","initial_release_date":"2024-10-12T03:03:09Z","revision_history":[{"date":"2024-10-12T03:03:09Z","number":"2","summary":"Current version"},{"date":"2024-10-13T03:07:28Z","number":"3","summary":"Current version"},{"date":"2024-10-21T13:48:06Z","number":"4","summary":"Current version"},{"date":"2024-11-19T04:08:35Z","number":"5","summary":"Current version"},{"date":"2025-01-01T01:31:22Z","number":"6","summary":"Current version"},{"date":"2025-02-14T05:29:50Z","number":"7","summary":"Current version"},{"date":"2025-02-16T05:22:48Z","number":"8","summary":"Current version"}],"status":"interim","version":"8"}}}