Demo5 #5
Demo5 #5
Conversation
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| @@ -731,6 +731,8 @@ async function createOrders () { | |||
| const script = new VMScript(createOrders); | |||
| try { | |||
| const result = vm.run(script); | |||
| const result = vm.run(script); | |||
There was a problem hiding this comment.
Risk: vm2 versions before 3.9.16 are vulnerable to Improper Control Of Dynamically-Managed Code Resources allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
Fix: Upgrade this library to at least version 3.9.16 at JS-App/package-lock.json:67635.
Reference(s): GHSA-xj72-wvfv-8985, CVE-2023-29199
Ignore this finding from ssc-d68b627b-18e0-4a15-892f-4ad0052bbd9a.
| @@ -731,6 +731,8 @@ async function createOrders () { | |||
| const script = new VMScript(createOrders); | |||
| try { | |||
| const result = vm.run(script); | |||
| const result = vm.run(script); | |||
There was a problem hiding this comment.
Risk: The package vm2 3.x before 3.9.11 is vulnerable to a sandbox bypass which enables arbitrary code to run out of the sandbox context, leading to execution on the host machine. It is recommended to upgrade to vm2 3.9.11.
Fix: Upgrade this library to at least version 3.9.11 at JS-App/package-lock.json:67635.
Reference(s): GHSA-mrgp-mrhc-5jrq, CVE-2022-36067
Ignore this finding from ssc-4035c22a-c2c2-4a3a-9bdf-5fa36b0bb1ce.
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation