Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency vm2 to 3.9.18 [security] #1294

Merged
merged 1 commit into from
May 19, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 16, 2023

Mend Renovate

This PR contains the following updates:

Package Change
vm2 3.9.17 -> 3.9.18

GitHub Vulnerability Alerts

CVE-2023-32314

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy.

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.18 of vm2.

Workarounds

None.

References

PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

For more information

If you have any questions or comments about this advisory:

  • Open an issue in VM2

Thanks to @​arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

CVE-2023-32313

In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log.

Impact

A threat actor can edit options for console.log.

Patches

This vulnerability was patched in the release of version 3.9.18 of vm2.

Workarounds

After creating a vm make the inspect method readonly with vm.readonly(inspect).

References

PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550

For more information

If you have any questions or comments about this advisory:

  • Open an issue in VM2

Thanks to @​arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@kamilmysliwiec kamilmysliwiec merged commit 1ab04dd into master May 19, 2023
@delete-merged-branch delete-merged-branch bot deleted the renovate/npm-vm2-vulnerability branch May 19, 2023 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant