CVE-2024-54152

Publication date 10 December 2024

Last updated 11 December 2024

Ubuntu priority

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
angular.js	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-54152
https://github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j