Bug 2268370 (CVE-2024-27307) - CVE-2024-27307 jsonata: malicious expression can pollute the "Object" prototype
Summary: CVE-2024-27307 jsonata: malicious expression can pollute the "Object" prototype
Keywords:
Status: NEW
Alias: CVE-2024-27307
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2268371
TreeView+ depends on / blocked
 
Reported: 2024-03-07 06:31 UTC by TEJ RATHI
Modified: 2024-03-19 19:05 UTC (History)
17 users (show)

Fixed In Version: jsonata 1.8.7, jsonata 2.0.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in JSONata. A malicious expression can exploit the transform operator to override properties on the Object constructor and prototype. This issue can result in denial of service, remote code execution, or other unforeseen behavior in applications that assess user-provided JSONata expressions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2024-03-07 06:31:07 UTC 
Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.

https://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
https://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c
https://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2
https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4
https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8
Note You need to log in before you can comment on or make changes to this bug.