CVE-2024-21534
DOM Clobbering vulnerability in jsonpath-plus
What is CVE-2024-21534 About?
Prism (aka PrismJS) is vulnerable to DOM Clobbering, which can lead to Cross-Site Scripting (XSS) under specific conditions. This occurs because an attacker can inject HTML elements that shadow `document.currentScript` lookup. The impact is XSS for untrusted HTML input not directly containing JavaScript, and it requires specific attacker-injected HTML elements.
Affected Software
- jsonpath-plus
- <10.2.0
- org.webjars.npm:jsonpath-plus
- <=6.0.1
Technical Details
The vulnerability in Prism (versions through 1.29.0) stems from a DOM Clobbering flaw, allowing attackers to manipulate the Document Object Model (DOM) in unexpected ways. Specifically, the mechanism for looking up `document.currentScript` can be shadowed by attacker-injected HTML elements. This manipulation can lead to Cross-Site Scripting (XSS) if untrusted input contains HTML, even if it does not directly embed JavaScript. By injecting HTML elements with specific `id` or `name` attributes, an attacker can overwrite global variables or properties of the `window` object, thereby controlling script execution or data flow in a way unintended by the application.
What is the Impact of CVE-2024-21534?
Successful exploitation may allow attackers to execute arbitrary scripts in the context of the user's browser, hijack user sessions, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2024-21534?
Exploitation complexity for this DOM Clobbering vulnerability leading to XSS is moderate to high, as it requires specific conditions related to untrusted HTML input and the ability to inject crafted HTML elements. There are no explicit authentication or privilege requirements mentioned, implying it could be exploited by an unauthenticated remote attacker if they can control portions of the HTML rendered by the application. The primary constraint is the necessity for reflected HTML input that doesn't directly contain JavaScript but can be manipulated. Risk factors involve applications that process and render untrusted HTML input without proper sanitization, combined with the presence of the vulnerable PrismJS library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| XiaomingX | Link | jsonpath-plus 包(版本 <=10.0.7)存在严重的远程代码执行(RCE)漏洞,允许攻击者通过 Node.js 的 VM 模块执行任意代码。该漏洞由于输入验证不严格导致,影响版本为 10.0.7 以下,CVSS 分数为 9.8(极其严重)。漏洞首次公开于 2024 年 10 月 11 日。 |
| verylazytech | Link | POC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE) due to improper input sanitization |
| pabloopez | Link | Proof-of-concept (PoC) exploit for JSONPath-plus vulnerability |
What are the Available Fixes for CVE-2024-21534?
Available Upgrade Options
- jsonpath-plus
- <10.2.0 → Upgrade to 10.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/JSONPath-Plus/JSONPath/issues/226
- https://github.com/JSONPath-Plus/JSONPath/pull/233
- https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
- https://osv.dev/vulnerability/GHSA-pppg-cpfq-h7wr
- https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
- https://github.com/JSONPath-Plus/JSONPath/commit/73ad72e5ee788d8287dea6e8283a3f16f63c9eb8
- https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
What are Similar Vulnerabilities to CVE-2024-21534?
Similar Vulnerabilities: CVE-2023-42465 , CVE-2024-21915 , CVE-2023-45479 , CVE-2023-28956 , CVE-2023-38501
