CVE-2024-47180

Summary

CVE-2024-47180 is a recently disclosed remote execution vulnerability affecting Shields.io, a service that generates concise badges in SVG and raster formats. Versions of Shields.io prior to server-2024-09-25 are vulnerable to this issue, which leverages the JSONPath library used for Dynamic JSON/Toml/Yaml badges. Malicious JSONPath expressions can be crafted to execute arbitrary code on the affected instance, potentially allowing unauthorized users to gain control. Those self-hosting Shields.io are urged to update to server-2024-09-25 or later, while users following the rolling tag on DockerHub should pull the latest version using 'docker pull shieldsio/shields:next'. A workaround involves blocking access to the exploitable endpoints for /badge/dynamic/json, /badge/dynamic/toml, and /badge/dynamic/yaml.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.