You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@helix.apache.org by "helix-bot (via GitHub)" <gi...@apache.org> on 2023/05/02 21:34:16 UTC

[GitHub] [helix] helix-bot opened a new issue, #2474: vm2 vulnerable to sandbox escape - CVE-2023-29017

helix-bot opened a new issue, #2474:
URL: https://github.com/apache/helix/issues/2474

   Issue:
   Npm library vm2 is vulnerable to sandbox escape resulting in remote code execution.
   
   Description:
   vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. 
   
   In helix-front, vm2 is a child dependency of dependency proxy-agent.
   
   Impact:
   A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
   
   Recommendation: 
   1) Please upgrade to vm2 version 3.9.15
   
   References
   [GHSA-7jxr-cg7f-gpgv](https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv)
   https://nvd.nist.gov/vuln/detail/CVE-2023-29017
   [patriksimek/vm2#515](https://github.com/patriksimek/vm2/issues/515)
   [patriksimek/vm2@d534e57](https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50)
   https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org

[GitHub] [helix] junkaixue closed issue #2474: vm2 vulnerable to sandbox escape - CVE-2023-29017

Posted by "junkaixue (via GitHub)" <gi...@apache.org>.

junkaixue closed issue #2474: vm2 vulnerable to sandbox escape - CVE-2023-29017
URL: https://github.com/apache/helix/issues/2474


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org