CVE-2024-27307 (Critical) detected in jsonata-1.7.0.tgz

[mend-for-github-com[bot]]

CVE-2024-27307 - Critical Severity Vulnerability

Vulnerable Library - jsonata-1.7.0.tgz

JSON query and transformation language

Library home page: https://registry.npmjs.org/jsonata/-/jsonata-1.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonata/package.json

Dependency Hierarchy: - serverless-1.57.0.tgz (Root Library) - enterprise-plugin-3.2.3.tgz - :x: **jsonata-1.7.0.tgz** (Vulnerable Library)

Found in HEAD commit: c4de98a3ee33ed933132ba45998d6d4f54aa4e6d

Found in base branch: master

Vulnerability Details

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Publish Date: 2024-03-06

URL: CVE-2024-27307

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8

Release Date: 2024-03-06

Fix Resolution (jsonata): 1.8.7

Direct dependency fix Resolution (serverless): 1.58.0

---

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.