{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23347", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "facebook", "dateReserved": "2024-01-15T19:19:44.939Z", "datePublished": "2024-01-16T17:57:20.308Z", "dateUpdated": "2025-06-20T17:54:46.578Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Meta Spark Studio", "vendor": "Meta Platforms, Inc", "versions": [{"lessThan": "176", "status": "affected", "version": "0", "versionType": "semver"}]}], "dateAssigned": "2024-01-12T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application."}], "problemTypes": [{"descriptions": [{"description": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2024-01-16T17:57:20.308Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.facebook.com/security/advisories/cve-2024-23347"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.227Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.facebook.com/security/advisories/cve-2024-23347"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-01-16T19:26:57.857642Z", "id": "CVE-2024-23347", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T17:54:46.578Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.facebook.com/security/advisories/cve-2024-23347", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.227Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-23347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-01-16T19:26:57.857642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T17:54:41.762Z"}}], "cna": {"affected": [{"vendor": "Meta Platforms, Inc", "product": "Meta Spark Studio", "versions": [{"status": "affected", "version": "0", "lessThan": "176", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2024-23347", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2024-01-12T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2024-01-16T17:57:20.308Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23347", "state": "PUBLISHED", "dateUpdated": "2025-06-20T17:54:46.578Z", "dateReserved": "2024-01-15T19:19:44.939Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2024-01-16T17:57:20.308Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facebook:meta_spark_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A2477AC-6870-4B94-B74E-BA1DBEC2F2DD", "versionEndExcluding": "176", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application."}, {"lang": "es", "value": "Antes de v176, al abrir un nuevo proyecto, Meta Spark Studio ejecutaba scripts definidos dentro de un archivo package.json incluido como parte de ese proyecto. Esos scripts tendr\u00edan la capacidad de ejecutar c\u00f3digo arbitrario en el sistema como aplicaci\u00f3n."}], "id": "CVE-2024-23347", "lastModified": "2025-06-20T18:15:28.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-16T18:15:11.267", "references": [{"source": "cve-assign@fb.com", "tags": ["Vendor Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2024-23347"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2024-23347"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}