Description
jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/jmespath/jmespath.rb/pull/55
Third Party Advisory x_refsource_misc
https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
Third Party Advisory x_refsource_misc
https://stackoverflow.com/a/30050571/580231
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/
Scores
CVSS v3
9.8
EPSS
0.0208
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
fedoraproject/fedora
35
fedoraproject/fedora
36
jmespath_project/jmespath
< 1.6.1
rubygems/jmespath
0 - 1.6.1RubyGems
Published
Jun 06, 2022
Tracked Since
Feb 18, 2026