CVE-2023-32313

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-32313

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32313.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-32313

Aliases

GHSA-p5gc-c584-jj6v

Related

GHSA-p5gc-c584-jj6v

Published

2023-05-15T20:15:09Z

Modified

2025-01-15T04:53:20.135086Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a vm.

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type: GIT
Repo: https://github.com/patriksimek/vm2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

Fixed

5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

Affected versions

3.*

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

3.9.17

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

v3.*

v3.9.0

v3.9.1

v3.9.2