CVE-2022-39266
CRITICAL9.6EPSS 0.27%isolated-vm has vulnerable CachedDataOptions in API
發布日:2022/9/30修改日:2023/11/8
描述
### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.
受影響套件(1)
- npm/isolated-vmfrom 0, < 4.3.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39266
- PATCHhttps://github.com/laverdet/isolated-vm
- WEBhttps://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8
- WEBhttps://github.com/laverdet/isolated-vm/commits/v4.3.7
- WEBhttps://github.com/laverdet/isolated-vm/issues/379
- WEBhttps://github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv