Vulnerable Library - juicy-chat-bot-0.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-32313
Vulnerable Library - vm2-3.9.17.tgz
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- juicy-chat-bot-0.8.0.tgz (Root Library)
- ❌ vm2-3.9.17.tgz (Vulnerable Library)
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
juice-shop-17.0.0/routes/chatbot.ts (Application)
-> juicy-chat-bot-0.8.0/index.js (Extension)
-> vm2-3.9.17/index.js (Extension)
-> vm2-3.9.17/lib/main.js (Extension)
-> ❌ vm2-3.9.17/lib/vm.js (Vulnerable Component)
Vulnerability Details
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node "inspect" method and edit options for "console.log". As a result a threat actor can edit options for the "console.log" command. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. Users unable to upgrade may make the "inspect" method readonly with "vm.readonly(inspect)" after creating a vm.
Publish Date: 2023-05-15
URL: CVE-2023-32313
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p5gc-c584-jj6v
Release Date: 2023-05-15
Fix Resolution: vm2 - 3.9.18
CVE-2023-32314
Vulnerable Library - vm2-3.9.17.tgz
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- juicy-chat-bot-0.8.0.tgz (Root Library)
- ❌ vm2-3.9.17.tgz (Vulnerable Library)
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-05-15
URL: CVE-2023-32314
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-whpj-8f3w-67p5
Release Date: 2023-05-15
Fix Resolution: vm2 - 3.9.18
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - vm2-3.9.17.tgz
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node "inspect" method and edit options for "console.log". As a result a threat actor can edit options for the "console.log" command. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. Users unable to upgrade may make the "inspect" method readonly with "vm.readonly(inspect)" after creating a vm.
Publish Date: 2023-05-15
URL: CVE-2023-32313
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p5gc-c584-jj6v
Release Date: 2023-05-15
Fix Resolution: vm2 - 3.9.18
Vulnerable Library - vm2-3.9.17.tgz
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5bd0cab999e471d7b91efdd7de70467c31d2c8cd
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-05-15
URL: CVE-2023-32314
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-whpj-8f3w-67p5
Release Date: 2023-05-15
Fix Resolution: vm2 - 3.9.18