CVE-2024-47180 (GCVE-0-2024-47180)

Vulnerability from cvelistv5 – Published: 2024-09-26 19:21 – Updated: 2024-09-26 19:47
VLAI
Title
Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badges
Summary
Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version < `server-2024-09-25` are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance to the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable. This problem was fixed in server-2024-09-25. Those who follow the tagged releases should update to `server-2024-09-25` or later. Those who follow the rolling tag on DockerHub, `docker pull shieldsio/shields:next` to update to the latest version. As a workaround, blocking access to the endpoints `/badge/dynamic/json`, `/badge/dynamic/toml`, and `/badge/dynamic/yaml` (e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed.
Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
Vendor Product Version
badges shields Affected: < server-2024-09-25
Create a notification for this product.
badges shields Affected: 0 , < server-2024-09-25 (custom)
    cpe:2.3:a:badges:shields:*:*:*:*:*:*:*:*
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:badges:shields:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "shields",
            "vendor": "badges",
            "versions": [
              {
                "lessThan": "server-2024-09-25",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47180",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T19:45:53.317118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T19:47:50.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shields",
          "vendor": "badges",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c server-2024-09-25"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version \u003c `server-2024-09-25` are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance to the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable. This problem was fixed in server-2024-09-25. Those who follow the tagged releases should update to `server-2024-09-25` or later. Those who follow the rolling tag on DockerHub, `docker pull shieldsio/shields:next` to update to the latest version. As a workaround, blocking access to the endpoints `/badge/dynamic/json`, `/badge/dynamic/toml`, and `/badge/dynamic/yaml` (e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-26T19:21:04.584Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445"
        },
        {
          "name": "https://github.com/badges/shields/issues/10553",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/badges/shields/issues/10553"
        },
        {
          "name": "https://github.com/badges/shields/pull/10551",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/badges/shields/pull/10551"
        },
        {
          "name": "https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2"
        }
      ],
      "source": {
        "advisory": "GHSA-rxvx-x284-4445",
        "discovery": "UNKNOWN"
      },
      "title": "Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badges"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47180",
    "datePublished": "2024-09-26T19:21:04.584Z",
    "dateReserved": "2024-09-19T22:32:11.962Z",
    "dateUpdated": "2024-09-26T19:47:50.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47180",
      "date": "2026-06-04",
      "epss": "0.03964",
      "percentile": "0.88577"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47180\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-26T20:15:07.310\",\"lastModified\":\"2024-09-30T12:46:20.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version \u003c `server-2024-09-25` are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance to the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable. This problem was fixed in server-2024-09-25. Those who follow the tagged releases should update to `server-2024-09-25` or later. Those who follow the rolling tag on DockerHub, `docker pull shieldsio/shields:next` to update to the latest version. As a workaround, blocking access to the endpoints `/badge/dynamic/json`, `/badge/dynamic/toml`, and `/badge/dynamic/yaml` (e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed.\"},{\"lang\":\"es\",\"value\":\"Shields.io es un servicio para insignias concisas, consistentes y legibles en formato SVG y raster. Shields.io y los usuarios que alojan por s\u00ed mismos su propia instancia de escudos usando la versi\u00f3n \u0026lt; `server-2024-09-25` son vulnerables a una vulnerabilidad de ejecuci\u00f3n remota a trav\u00e9s de la librer\u00eda JSONPath utilizada por las insignias Dynamic JSON/Toml/Yaml. Esta vulnerabilidad permitir\u00eda a cualquier usuario con acceso hacer una solicitud a una URL en la instancia con la capacidad de ejecutar c\u00f3digo mediante la creaci\u00f3n de una expresi\u00f3n JSONPath maliciosa. Todos los usuarios que alojan por s\u00ed mismos una instancia son vulnerables. Este problema se solucion\u00f3 en server-2024-09-25. Aquellos que siguen las versiones etiquetadas deben actualizar a `server-2024-09-25` o posterior. Aquellos que siguen la etiqueta continua en DockerHub, `docker pull shieldsio/shields:next` para actualizar a la \u00faltima versi\u00f3n. Como workaround, bloquear el acceso a los endpoints `/badge/dynamic/json`, `/badge/dynamic/toml` y `/badge/dynamic/yaml` (por ejemplo: a trav\u00e9s de un firewall o proxy inverso frente a su instancia) evitar\u00eda que se acceda a los endpoints explotables.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"references\":[{\"url\":\"https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/badges/shields/issues/10553\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/badges/shields/pull/10551\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T19:45:53.317118Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:badges:shields:*:*:*:*:*:*:*:*\"], \"vendor\": \"badges\", \"product\": \"shields\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"server-2024-09-25\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T19:47:44.590Z\"}}], \"cna\": {\"title\": \"Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badges\", \"source\": {\"advisory\": \"GHSA-rxvx-x284-4445\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"badges\", \"product\": \"shields\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c server-2024-09-25\"}]}], \"references\": [{\"url\": \"https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445\", \"name\": \"https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/badges/shields/issues/10553\", \"name\": \"https://github.com/badges/shields/issues/10553\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/badges/shields/pull/10551\", \"name\": \"https://github.com/badges/shields/pull/10551\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2\", \"name\": \"https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version \u003c `server-2024-09-25` are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance to the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable. This problem was fixed in server-2024-09-25. Those who follow the tagged releases should update to `server-2024-09-25` or later. Those who follow the rolling tag on DockerHub, `docker pull shieldsio/shields:next` to update to the latest version. As a workaround, blocking access to the endpoints `/badge/dynamic/json`, `/badge/dynamic/toml`, and `/badge/dynamic/yaml` (e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-26T19:21:04.584Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47180\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T19:47:50.375Z\", \"dateReserved\": \"2024-09-19T22:32:11.962Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-26T19:21:04.584Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.