CVE-2024-30254 MEDIUM

CVE-2024-30254: Directory traversal allowing overwriting arbitrary files

Vendor Jcwasmx86
Product mesonlsp
Weakness CWE-22 · Path traversal
Published April 4, 2024
Last update August 26, 2024

CVSS base score

5.8/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or `mesonlsp --full`. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running `mesonlsp --full` and set the language server option `others.neverDownloadAutomatically` to `true`.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
August 26, 2024 Record updated