Vulnerability: Remote Code Execution (RCE) in jsonpath-plus versions < 10.3.0 #1964
Labels
dependencies
Pull requests that update a dependency file
javascript
Pull requests that update Javascript code
Comments
|
@Jeffaaah can you tell where jsonpath-plus is coming from? |
melloware
added
javascript
|
Its in the tree under: @stoplight/spectral-core 1.19.4 If you want the full tree please let me know. |
|
OK looks like we are waiting on a release from IBM: IBM/openapi-validator#731 We get that through IBM OpenAPI Ruleset. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there,
Gemnasium found the following:
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute arbitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
I have upgraded to the latest version of Orval to ensure compatibility and security (^7.6.0)
If more information needed please let me know.
Kind regards,
Jeffrey.
The text was updated successfully, but these errors were encountered: