GHSA-7cg8-pq9v-x98q

Опубликовано: 21 окт. 2019

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Sandbox Breakout in realms-shim

Versions of realms-shim prior to 1.2.1 are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the rewriting function. Confined code which used the evaluator itself could provide a malicious rewriter function that captured this object, and use it to breach the sandbox.

Recommendation

Upgrade to version 1.2.1 or later.

Ссылки

https://github.com/Agoric/realms-shim/security/advisories/GHSA-7cg8-pq9v-x98q
https://github.com/advisories/GHSA-7cg8-pq9v-x98q
https://snyk.io/vuln/SNYK-JS-REALMSSHIM-536069
https://www.npmjs.com/advisories/1218

Пакеты

Наименование

realms-shim

npm

Затронутые версииВерсия исправления

< 1.2.1

1.2.1

9.8 Critical

CVSS3

9.8 Critical

CVSS3