GHSA-p5gc-c584-jj6v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p5gc-c584-jj6v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-p5gc-c584-jj6v/GHSA-p5gc-c584-jj6v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p5gc-c584-jj6v
- Aliases
- Related
- Published
- 2023-05-17T03:49:37Z
- Modified
- 2023-11-08T04:12:34.598027Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- vm2 vulnerable to Inspect Manipulation
- Details
-
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node
inspectmethod and edit options forconsole.log.Impact
A threat actor can edit options for
console.log.Patches
This vulnerability was patched in the release of version
3.9.18ofvm2.Workarounds
After creating a vm make the
inspectmethod readonly withvm.readonly(inspect).References
PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
For more information
If you have any questions or comments about this advisory:
- Open an issue in VM2
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
- Database specific
{ "nvd_published_at": "2023-05-15T20:15:09Z", "cwe_ids": [ "CWE-74" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-05-17T03:49:37Z" }- References
-
- https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
- https://nvd.nist.gov/vuln/detail/CVE-2023-32313
- https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
- https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/releases/tag/3.9.18
Affected packages
npm / vm2
Package
- Name
- vm2
- View open source insights on deps.dev
- Purl
- pkg:npm/vm2