-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump up vm2 version [SECURITY] #440
base: main
Are you sure you want to change the base?
Conversation
perfseeBundle maindiff ------------------- Bundle Size Diff -------------------------
@@ EntryPoint: main @@
## main …vulnerability +/- ##
===================================================================
= Bundle 3.31 MB 3.31 MB
= Initial JS 1.12 MB 1.12 MB
= Initial CSS 0 B 0 B
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
= Assets 79 79
= Chunks 78 78
= Packages 81 81
= Duplicates 0 0
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #440 +/- ##
==========================================
- Coverage 78.76% 78.75% -0.02%
==========================================
Files 409 409
Lines 38248 38248
Branches 2306 2306
==========================================
- Hits 30126 30122 -4
- Misses 7920 7924 +4
Partials 202 202 ☔ View full report in Codecov by Sentry. |
40755b6
to
614d1fb
Compare
614d1fb
to
2c54eb2
Compare
5b1d7f9
to
402c439
Compare
402c439
to
9a43a2c
Compare
d5a2b66
to
1d3cce7
Compare
1d3cce7
to
db0fe92
Compare
db0fe92
to
c5d6655
Compare
c5d6655
to
9b0ef68
Compare
9b0ef68
to
f9c1e7b
Compare
f9c1e7b
to
641eaa9
Compare
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: yarn.lock
|
|
This PR contains the following updates:
3.9.16
->3.9.18
3.9.14
->3.9.16
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2023-30547
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside
handleException()
which can be used to escape the sandbox and run arbitrary code in host context.Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version
3.9.17
ofvm2
.Workarounds
None.
References
PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
For more information
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
CVE-2023-32314
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of
Proxy
.Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version
3.9.18
ofvm2
.Workarounds
None.
References
PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
For more information
If you have any questions or comments about this advisory:
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
CVE-2023-32313
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node
inspect
method and edit options forconsole.log
.Impact
A threat actor can edit options for
console.log
.Patches
This vulnerability was patched in the release of version
3.9.18
ofvm2
.Workarounds
After creating a vm make the
inspect
method readonly withvm.readonly(inspect)
.References
PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
For more information
If you have any questions or comments about this advisory:
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
CVE-2023-29017
vm2 was not properly handling host objects passed to
Error.prepareStackTrace
in case of unhandled async errors.Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version
3.9.15
ofvm2
.Workarounds
None.
CVE-2023-29199
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass
handleException()
and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version
3.9.16
ofvm2
.Workarounds
None.
References
Github Issue - https://github.com/patriksimek/vm2/issues/516
PoC - https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
For more information
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
Release Notes
patriksimek/vm2 (vm2)
v3.9.18
Compare Source
[fix] Multiple security fixes.
[new] Add resolver API to create a shared resolver for multiple
NodeVM
instances allowing to cache scripts and increase sandbox startup times.[new] Allow to pass a function to
require.context
which is called with the filename allowing to specify the context pre file.v3.9.17
Compare Source
[fix] Multiple security fixes.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.