Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2024-34347
HistoryMay 08, 2024 - 3:15 p.m.

CVE-2024-34347

2024-05-0815:15:11
CWE-77
[email protected]
web.nvd.nist.gov
34
hoppscotch test scripts
ci environments
node.js vm
javascript sandbox
vulnerability fix

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

8.4%

JSON

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.

VendorProductVersionCPE
hoppscotchhoppscotch*cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

Related

osv 2
cvelist 1
veracode 1
github 1
osv
osv
CVE-2024-34347
2024-05-08 15:15:11
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
2024-04-22 18:38:11
cvelist
cvelist
CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
2024-05-08 14:16:38
veracode
veracode
Sandbox Escape
2024-04-23 11:37:03
github
github
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
2024-04-22 18:38:11

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

8.4%

JSON
Related for CVE-2024-34347
osv2cvelist1veracode1github1