SUSE-SU-2024:2574-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: Update to 20.15.1: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass bsc1227560 - CVE-2024-22020: Fixed a bypass of network import restriction via data URL bsc1227554 - CVE-2024-22018: Fixed fs.lstat bypasses permission model bsc1227562 -...

Arbitrary Code Execution

vm2 is vulnerable to Arbitrary Code Execution. The vulnerability exists because the newWrapped function of setup-sandbox.js does not properly handle host objects passed to Error.prepareStackTrace in case of unhandled async errors, which allows an attacker to bypass the sandbox protections and...

vm2 vulnerable to sandbox escape

vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. - vm2 version: 3.9.14 - Node version: 18.15.0, 19.8.1, 17.9.1 Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the...

CVE-2023-29017

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code...