Remote Execution Vulnerability in Shields.io Affects Self-Hosted Instances
CVE-2024-47180

8.8HIGH

Key Information:

Vendor

Badges

Status
Shields
Vendor
CVE Published:
26 September 2024

What is CVE-2024-47180?

The Shields.io service, popular for providing concise and legible badges in various formats, has been identified to have a vulnerability that allows remote code execution for users self-hosting versions prior to server-2024-09-25. This flaw occurs due to the JSONPath library utilized in the Dynamic JSON/Toml/Yaml badges, which permits attackers to craft malicious JSONPath expressions. Any user capable of making requests to the self-hosted instance can exploit this vulnerability, thereby potentially executing arbitrary code. To ensure security, affected users must update to the latest version or implement temporary workarounds, such as blocking access to vulnerable endpoints. The issue has been addressed in the server-2024-09-25 release.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

shields < server-2024-09-25

References

https://github.com/badges/shields/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/badges/shields/issues/10553
x_refsource_MISC
https://github.com/badges/shields/pull/10551
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.