How severe is CVE-2024-27307?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-27307?

This is classified as CWE-1321, which is a common weakness in software security.

CVE-2024-27307 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Related Vulnerabilities

CVE-2019-0230

CRITICAL

CVSS:9.8(Critical)

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

CWE-13212019

CVE-2019-14379

CRITICAL

CVSS:9.8(Critical)

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leadi...

CWE-13212019

CVE-2019-19919

CRITICAL

CVSS:9.8(Critical)

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow...

CWE-13212019

CVE-2020-28269

CRITICAL

CVSS:9.8(Critical)

Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020

CVE-2020-28270

CRITICAL

CVSS:9.8(Critical)

Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020

CVE-2020-28271

CRITICAL

CVSS:9.8(Critical)

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020