Inspect method manipulation in vm2
CVE-2023-32313

5.3MEDIUM

Key Information:

Vendor

Patriksimek

Status
Vm2
Vendor
CVE Published:
15 May 2023

What is CVE-2023-32313?

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a vm.

Affected Version(s)

vm2 < 3.9.18

References

https://github.com/patriksimek/vm2/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/patriksimek/vm2/commit/5206ba25afd86ef...
x_refsource_MISC
https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.