CVE-2024-30254

2024-04-0419:15:08

Google

osv.dev

mesonlsp

language server

vulnerability

file overwriting

c++

security patch

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.2%

JSON

MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or mesonlsp --full. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running mesonlsp --full and set the language server option others.neverDownloadAutomatically to true.

CPENameOperatorVersion
mesonlspeq4.1.2
mesonlspeq3.0.16
mesonlspeq1.6
mesonlspeq3.0.18
mesonlspeq3.0.6
mesonlspeq4.0.0
mesonlspeq2.3.5
mesonlspeq1.5
mesonlspeq3.0.2
mesonlspeq2.3.10

Name	Operator	Version
mesonlsp	eq	4.1.2
mesonlsp	eq	3.0.16
mesonlsp	eq	1.6
mesonlsp	eq	3.0.18
mesonlsp	eq	3.0.6
mesonlsp	eq	4.0.0
mesonlsp	eq	2.3.5
mesonlsp	eq	1.5
mesonlsp	eq	3.0.2
mesonlsp	eq	2.3.10

Rows per page:

1-10 of 721

References

github.com/JCWasmx86/mesonlsp/commit/594b6334061371911cd59389124ab8af30ce0a3a

github.com/JCWasmx86/mesonlsp/security/advisories/GHSA-48c5-35fh-846h