EUVD-2024-0922

Malicious code in bioql PyPI...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in jsonata-js JSONata

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of jsonata-js JSONata. Vulnerability Details CVEID:CVE-2024-27307 DESCRIPTION: jsonata-js JSONata could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the JSONata...

Security Bulletin: IBM Maximo Application Suite uses jsonata-1.8.6 which is vulnerable to CVE-2024-27307, CVE-2022-34169, CVE-2023-20861, CVE-2023-3635, CVE-2018-10237, CVE-2023-33201, CVE-2023-33202, CVE-2023-45288, CVE-2023-20863

Summary IBM Maximo Application Suite uses jsonata-1.8.6 which is vulnerable to CVE-2024-27307, CVE-2022-34169, CVE-2023-20861, CVE-2023-3635, CVE-2018-10237, CVE-2023-33201, CVE-2023-33202, CVE-2023-45288, CVE-2023-20863. This bulletin contains information regarding the vulnerability and its...

Security Bulletin: Netcool Operations Insights 1.6.13 addresses multiple security vulnerabilities.

Summary Netcool Operations Insight v1.6.13 addresses multiple security vulnerabilities, listed in the CVEs below. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2021-31684 DESCRIPTION: netplex JSON Smart is vulnerable to a denial of...

Security Bulletin: IBM Edge Application Manager 4.5.5 addresses the security vulnerabilities listed in the CVEs below.

Summary IBM Edge Application Manager 4.5.5 addresses the security vulnerabilities listed in the CVEs below. Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service and remote attack due to node.js jose module and jsonata-js JSONata (CVE-2024-28176, CVE-2024-27307)

Summary The Discovery Connector nodes in IBM App Connect Enterprise are vulnerable to a denial of service due to node.js jose module and jsonata-js JSONata. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-28176 DESCRIPTION: Node.js jos...

Security Bulletin: IBM App Connect Enterprise Certified Container instances that run or edit flows containing JSONata mapping are vulnerable to arbitrary code execution due to [CVE-2024-27307]

Summary JSONata is used by IBM App Connect Enterprise Certified Container flows for mapping and extracting values within a JSON document. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that run or edit flows containing JSONata...

CVE-2024-27307

A vulnerability was found in JSONata. A malicious expression can exploit the transform operator to override properties on the Object constructor and prototype. This issue can result in denial of service, remote code execution, or other unforeseen behavior in applications that assess user-provided...

CVE-2024-27307

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or...

Remote code execution

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or...

CVE-2024-27307 JSONata expression can pollute the "Object" prototype

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or...

CVE-2024-27307

CVE-2024-27307 (JSONata) is a prototype-pollution vulnerability in JSONata.js. Starting with 1.4.0 and affecting versions prior to 1.8.7 and 2.0.4, a malicious JSONata expression can abuse the transform operator to override properties on Object and Object.prototype, enabling denial of service, re...

CVE-2024-27307 JSONata expression can pollute the "Object" prototype

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or...

CVE-2024-27307 JSONata expression can pollute the "Object" prototype

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or...

JSONata Security Vulnerabilities

JSONata is a JSON query and transformation language. A security vulnerability exists in JSONata versions 1.4.0 through prior to 2.0.4, which stems from a malicious expression that can override attributes on object constructors and prototypes using conversion operators, which could result in a...

Object Constructor And Prototype Override

jsonata is vulnerable to Object Constructor And Prototype Override. The vulnerability is due to a malicious expression leveraging the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution, or other unexpected...

@bifravst/muninn-proto (>=5.0.0 <=5.2.0-chart-proto.1), @cenk1cenk2/renovate-config (>=2.3.132 <=2.3.148) +9 more potentially affected by CVE-2024-27307 via jsonata (=2.0.3)

jsonata NPM version =2.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on jsonata and may be impacted: - @bifravst/muninn-proto =5.0.0, =2.3.132, =1.0.0, =1.0.0, =0.14.0, =5.1.0, =4.0.0, =1.0.7, =36.7.0, =37.227.0 Source cves: CVE-2024-27307 Source...

@3c-node-red/runtime (=3.1.6), @adeunis/node-red-contrib-adeunis-codecs (=1.0.0) +244 more potentially affected by CVE-2024-27307 via jsonata (>=1.5.0 <=1.8.6)

jsonata NPM version =1.5.0, =20.2.3, =5.0.0, =0.8.0, =0.0.1, =1.0.0, =1.0.1, =2.0.0, =2.0.4 - @elastic.io/batching-library =2.0.1-dev.4 and more Source cves: CVE-2024-27307 Source advisory: OSV:GHSA-FQG8-VFV7-8FJ8...

GHSA-FQG8-VFV7-8FJ8 JSONata expression can pollute the "Object" prototype

Impact In JSONata versions = 1.4.0, = 2.0.0, = 1.8.7 and = 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. The following patch can be applied if updating is not possible. patch --- a/src/jsonata.js +++ b/src/jsonata.js @@ -1293,6 +1293,13 @@...

JSONata expression can pollute the "Object" prototype

Impact In JSONata versions = 1.4.0, = 2.0.0, = 1.8.7 and = 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. The following patch can be applied if updating is not possible. patch --- a/src/jsonata.js +++ b/src/jsonata.js @@ -1293,6 +1293,13 @@...