Update Node.js Package: vm2 to version 3.9.17 or later
SurajBKamble opened this issue · 1 comments
Which node-red-contrib-modbus version are you using?
5.23.1
What happened?
Exposure of Sensitive Information, Manipulation of Data, Denial of Service (DoS)
-
vm2 was not properly handling host objects passed to
Error.prepareStackTrace
in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. [CVE-2023-29017] -
A vulnerability in source code transformer (exception sanitization logic) of vm2, allows attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. [CVE-2023-29199]
-
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. A vulnerability in exception sanitization of vm2 allows attackers to raise an unsanitized host exception inside
handleException()
which can be used to escape the sandbox and run arbitrary code in host context. [CVE-2023-30547] -
In vm2, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
-
In vm2, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. [CVE-2023-37466]
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-30547
https://nvd.nist.gov/vuln/detail/CVE-2023-29017
https://nvd.nist.gov/vuln/detail/CVE-2023-29199
Server
Modbus-Server Node
How can this be reproduced?
Its a vulnerability bug
What did you expect to happen?
No response
Other Information
No response