CVE-2023-26122

CVSS V2 None CVSS V3 None

Description

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

Overview

CVE ID
CVE-2023-26122

Assigner
report@snyk.io

Vulnerability Status
Analyzed

Published Version
2023-04-11T05:15:07

Last Modified Date
2023-04-18T19:13:21

Weakness Enumerations

CWE	URL
CWE-1321	http://cwe.mitre.org/data/definitions/1321.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:safe-eval_project:safe-eval::::::node.js::*	1	OR		0.4.1

References

Reference URL	Reference Tags
https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce
https://github.com/hacksparrow/safe-eval/issues/27
https://github.com/hacksparrow/safe-eval/issues/31
https://github.com/hacksparrow/safe-eval/issues/32
https://github.com/hacksparrow/safe-eval/issues/33
https://github.com/hacksparrow/safe-eval/issues/34
https://github.com/hacksparrow/safe-eval/issues/35
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26122
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26122

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 04:28:47				Added to TrackCVE
2023-04-18 20:00:44		2023-04-18T19:13:21	CVE Modified Date	updated
2023-04-18 20:00:44	Undergoing Analysis	Analyzed	Vulnerability Status	updated
2023-04-18 20:00:46			Weakness Enumeration	new
2023-04-18 20:00:48			CPE Information	updated