Sandbox Breakout

2017-04-19T23:29:48

Description

## Overview Affected versions of `safe-eval` are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. ## Proof of Concept: This code accesses the process object and calls `.exit()` ``` var safeEval = require('safe-eval'); safeEval("this.constructor.constructor('return process')().exit()"); ``` ## Recommendation Update to version 0.4.0 or later ## References - [Issue #5](https://github.com/hacksparrow/safe-eval/issues/5) - [Issue #59](https://github.com/patriksimek/vm2/issues/59) - [GitHub PR fix](https://github.com/hacksparrow/safe-eval/pull/13) - [GitHub Advisory](https://github.com/advisories/GHSA-ww6v-677g-p656)

Affected Software

CPE Name	Name	Version
	safe-eval	0.4.0

{"id": "NODEJS:337", "type": "nodejs", "bulletinFamily": "software", "title": "Sandbox Breakout", "description": "## Overview\n\nAffected versions of `safe-eval` are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. \n\n## Proof of Concept:\nThis code accesses the process object and calls `.exit()`\n```\nvar safeEval = require('safe-eval');\nsafeEval(\"this.constructor.constructor('return process')().exit()\");\n```\n\n## Recommendation\n\nUpdate to version 0.4.0 or later\n\n## References\n\n- [Issue #5](https://github.com/hacksparrow/safe-eval/issues/5)\n- [Issue #59](https://github.com/patriksimek/vm2/issues/59)\n- [GitHub PR fix](https://github.com/hacksparrow/safe-eval/pull/13)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww6v-677g-p656)", "published": "2017-04-19T23:29:48", "modified": "2021-09-23T07:57:06", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": true, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.npmjs.com/advisories/337", "reporter": "Alessandro Nadalin", "references": [], "cvelist": ["CVE-2017-16088"], "immutableFields": [], "lastseen": "2021-09-23T06:35:58", "viewCount": 1726, "enchantments": {"score": {"value": 6.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16088"]}, {"type": "github", "idList": ["GHSA-WW6V-677G-P656"]}]}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:319816"]}, {"type": "cve", "idList": ["CVE-2017-16088"]}, {"type": "github", "idList": ["GHSA-WW6V-677G-P656"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108456"]}, {"type": "osv", "idList": ["OSV:GHSA-WW6V-677G-P656"]}, {"type": "threatpost", "idList": ["THREATPOST:12B9BFB35BF21AD95E3A7F11B241431F"]}]}, "exploitation": null, "vulnersScore": 6.3}, "affectedSoftware": [{"operator": "lt", "version": "0.4.0", "name": "safe-eval"}], "_state": {"dependencies": 1647589307, "score": 0}}

{"github": [{"lastseen": "2022-05-13T12:33:35", "description": "Affected versions of `safe-eval` are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. \n\n## Proof of Concept:\nThis code accesses the process object and calls `.exit()`\n```\nvar safeEval = require('safe-eval');\nsafeEval(\"this.constructor.constructor('return process')().exit()\");\n```\n\n\n## Recommendation\n\nUpdate to version 0.4.0 or later", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-18T18:28:10", "type": "github", "title": "Sandbox Breakout in safe-eval", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16088"], "modified": "2021-01-08T00:48:18", "id": "GHSA-WW6V-677G-P656", "href": "https://github.com/advisories/GHSA-ww6v-677g-p656", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:32:45", "description": "The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-07T02:29:00", "type": "cve", "title": "CVE-2017-16088", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16088"], "modified": "2019-10-09T23:24:00", "cpe": ["cpe:/a:safe-eval_project:safe-eval:0.3.0", "cpe:/a:safe-eval_project:safe-eval:0.0.0", "cpe:/a:safe-eval_project:safe-eval:0.2.0", "cpe:/a:safe-eval_project:safe-eval:0.1.0"], "id": "CVE-2017-16088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16088", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:safe-eval_project:safe-eval:0.1.0:*:*:*:*:node.js:*:*", "cpe:2.3:a:safe-eval_project:safe-eval:0.2.0:*:*:*:*:node.js:*:*", "cpe:2.3:a:safe-eval_project:safe-eval:0.3.0:*:*:*:*:node.js:*:*", "cpe:2.3:a:safe-eval_project:safe-eval:0.0.0:*:*:*:*:node.js:*:*"]}], "osv": [{"lastseen": "2022-05-12T01:30:39", "description": "Affected versions of `safe-eval` are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. \n\n## Proof of Concept:\nThis code accesses the process object and calls `.exit()`\n```\nvar safeEval = require('safe-eval');\nsafeEval(\"this.constructor.constructor('return process')().exit()\");\n```\n\n\n## Recommendation\n\nUpdate to version 0.4.0 or later", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-18T18:28:10", "type": "osv", "title": "Sandbox Breakout in safe-eval", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16088"], "modified": "2020-08-31T18:19:47", "id": "OSV:GHSA-WW6V-677G-P656", "href": "https://osv.dev/vulnerability/GHSA-ww6v-677g-p656", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Sandbox Breakout

Description

Affected Software

Related