Home > Vulnerability Database > CVE-2023-32313

Mend.io Vulnerability Database

CVE-2023-32313

Good to know:

Date: May 15, 2023

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node "inspect" method and edit options for "console.log". As a result a threat actor can edit options for the "console.log" command. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. Users unable to upgrade may make the "inspect" method readonly with "vm.readonly(inspect)" after creating a vm.

Language: JS

Severity Score

5.3

Related Resources (7)

Url: https://github.com/patriksimek/vm2/releases/tag/3.9.18

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-32313

Url: https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v

Url: https://github.com/patriksimek/vm2

Url: https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

Url: https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550

Url: https://www.mend.io/vulnerability-database/CVE-2023-32313

Severity Score

5.3

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.9.18

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-32313

Good to know:

Date: May 15, 2023

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?