{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29651", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-13T15:47:47.764Z", "datePublished": "2024-05-20T17:15:21.434Z", "dateReserved": "2024-03-19T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-20T17:15:21.718Z"}, "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.430Z"}, "title": "CVE Program Container", "references": [{"url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "affected": [{"vendor": "apidevtools", "product": "json-schema-ref-parser", "cpes": ["cpe:2.3:a:apidevtools:json-schema-ref-parser:11.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "11.0.0", "status": "affected"}]}, {"vendor": "apidevtools", "product": "json-schema-ref-parser", "cpes": ["cpe:2.3:a:apidevtools:json-schema-ref-parser:11.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "11.1.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-20T14:08:46.922804Z", "id": "CVE-2024-29651", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T14:11:23.060Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.430Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29651", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-20T14:08:46.922804Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apidevtools:json-schema-ref-parser:11.0.0:*:*:*:*:*:*:*"], "vendor": "apidevtools", "product": "json-schema-ref-parser", "versions": [{"status": "affected", "version": "11.0.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:apidevtools:json-schema-ref-parser:11.1.0:*:*:*:*:*:*:*"], "vendor": "apidevtools", "product": "json-schema-ref-parser", "versions": [{"status": "affected", "version": "11.1.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T14:11:15.893Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad"}], "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-20T17:15:21.718Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29651", "state": "PUBLISHED", "dateUpdated": "2025-02-13T15:47:47.764Z", "dateReserved": "2024-03-19T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-20T17:15:21.434Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions."}, {"lang": "es", "value": " Un problema de contaminaci\u00f3n de prototipos en API Dev Tools json-schema-ref-parser v.11.0.0 y v.11.1.0 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de bundle()`, `parse()`, `resolve( )`, `funciones de desreferencia()."}], "id": "CVE-2024-29651", "lastModified": "2024-11-21T09:08:08.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-20T18:15:10.270", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "json-schema-ref-parser: Prototype pollution issue", "id": "2282247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282247"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-1321", "details": ["A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.", "A prototype pollution flaw was found in the API Dev Tools json-schema-ref-parser. This flaw allows a remote attacker to cause a denial of service, Cross-site scripting, or arbitrary code via the bundle(), parse(), resolve(), and dereference() functions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-29651", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "json-schema-ref-parser", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Will not fix", "package_name": "json-schema-ref-parser", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "json-schema-ref-parser", "product_name": "Red Hat Integration Camel K 1"}], "public_date": "2024-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29651\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29651\nhttps://github.com/advisories/GHSA-5f97-h2c2-826q"], "statement": "Red Hat Developer Hub does not use a vulnerable version of json-schema-ref-parser. Therefore, it is not affected by this vulnerability.", "threat_severity": "Moderate"}