Serverless Examples – A collection of boilerplates and examples of serverless architectures built with the Serverless Framework on AWS Lambda, Microsoft Azure, Google Cloud Functions, and more.
Path to dependency file: /aws-golang-auth-examples/package.json
Path to vulnerable library: /aws-golang-auth-examples/node_modules/jsonata/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/jsonata/package.json,/aws-rust-simple-http-endpoint/node_modules/jsonata/package.json,/aws-node-dynamic-image-resizer/node_modules/jsonata/package.json,/aws-node-rest-api-typescript-simple/node_modules/jsonata/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/jsonata/package.json,/aws-node-http-api-typescript/node_modules/jsonata/package.json
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.
CVE-2024-27307 - Critical Severity Vulnerability
jsonata-1.8.5.tgz
JSON query and transformation language
Library home page: https://registry.npmjs.org/jsonata/-/jsonata-1.8.5.tgz
Path to dependency file: /aws-golang-auth-examples/package.json
Path to vulnerable library: /aws-golang-auth-examples/node_modules/jsonata/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/jsonata/package.json,/aws-rust-simple-http-endpoint/node_modules/jsonata/package.json,/aws-node-dynamic-image-resizer/node_modules/jsonata/package.json,/aws-node-rest-api-typescript-simple/node_modules/jsonata/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/jsonata/package.json,/aws-node-http-api-typescript/node_modules/jsonata/package.json
Dependency Hierarchy: - serverless-1.83.3.tgz (Root Library) - enterprise-plugin-3.8.4.tgz - :x: **jsonata-1.8.5.tgz** (Vulnerable Library)
jsonata-1.8.3.tgz
JSON query and transformation language
Library home page: https://registry.npmjs.org/jsonata/-/jsonata-1.8.3.tgz
Path to dependency file: /aws-node-typescript-apollo-lambda/package.json
Path to vulnerable library: /aws-node-typescript-apollo-lambda/node_modules/jsonata/package.json
Dependency Hierarchy: - serverless-1.79.0.tgz (Root Library) - enterprise-plugin-3.7.1.tgz - :x: **jsonata-1.8.3.tgz** (Vulnerable Library)
Found in HEAD commit: dcbe4aefe4b3685f4b15493a01db0f19b118a0c4
Found in base branch: master
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.
Publish Date: 2024-03-06
URL: CVE-2024-27307
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8
Release Date: 2024-03-06
Fix Resolution (jsonata): 1.8.7
Direct dependency fix Resolution (serverless): 2.0.0-05627d62
Fix Resolution (jsonata): 1.8.7
Direct dependency fix Resolution (serverless): 1.80.0-06ed01b8
Step up your Open Source Security Game with Mend here