Lucene search

[email protected]CVE-2024-30254

HistoryApr 04, 2024 - 7:15 p.m.

CVE-2024-30254

2024-04-0419:15:08

CWE-22

[email protected]

web.nvd.nist.gov

mesonlsp

vulnerability

arbitrary file

overwriting

workaround

language server

patch

nvd

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

7.3 High

AI Score

Confidence

High

3.7 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.9%

JSON

MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or mesonlsp --full. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running mesonlsp --full and set the language server option others.neverDownloadAutomatically to true.

References

github.com/JCWasmx86/mesonlsp/commit/594b6334061371911cd59389124ab8af30ce0a3a

github.com/JCWasmx86/mesonlsp/security/advisories/GHSA-48c5-35fh-846h

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

7.3 High

AI Score

Confidence

High

3.7 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.9%

JSON

Related for CVE-2024-30254

osv1 cvelist1