Описание
Sandbox Breakout in realms-shim
Versions of realms-shim prior to 1.2.0 are vulnerable to a Sandbox Breakout. Reflect.construct can be used on the sandboxed Function constructor to reach the prototypes of the primal Realm, which may allow an attacker to escape the sandbox and execute arbitrary code.
Recommendation
Upgrade to version 1.2.0 or later.
Ссылки
- https://github.com/Agoric/realms-shim/security/advisories/GHSA-6jg8-7333-554w
- https://github.com/Agoric/realms-shim
- https://github.com/advisories/GHSA-6jg8-7333-554w
- https://snyk.io/vuln/SNYK-JS-REALMSSHIM-471680
- https://www.npmjs.com/advisories/1180
- https://www.npmjs.com/advisories/1181
- https://www.npmjs.com/advisories/1182
- https://www.npmjs.com/advisories/1190
- https://www.npmjs.com/advisories/1191
Пакеты
Наименование
realms-shim
npm
Затронутые версииВерсия исправления
< 1.2.0
1.2.0
Наименование
ses
npm
Затронутые версииВерсия исправления
< 0.6.3
0.6.3
9.8 Critical
CVSS3
9.8 Critical
CVSS3