Problem/Motivation

In 9.5.x, running yarn audit reports the following critical issue with vm2:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ vm2 vulnerable to Sandbox Escape resulting in Remote Code    │
│               │ Execution on host                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ vm2                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.9.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > proxy-agent > pac-proxy-agent > pac-resolver >  │
│               │ degenerator > vm2                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1084716                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

This has been discussed with the security team and it has been determined this can be handled in public.

Steps to reproduce

Proposed resolution

Upgrade vm2 in yarn.lock.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#2 3325517-2.patch728 byteslongwave

Comments

longwave created an issue. See original summary.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Active » Needs review
StatusFileSize
new 3325517-2.patch728 bytes
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Parent issue: » #3320732: [meta] Update JavaScript dependencies for Drupal 9.5
catch’s picture

catch
he/him
Primary language English
commented
Status: Needs review » Reviewed & tested by the community

Looks good.

catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 9.5.x, thanks!

  • catch committed c26201e on 9.5.x 
    Issue #3325517 by longwave: Upgrade vm2 package

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Technorange’s picture

Technorange commented

Upgrade vm2:3.9.15 due to vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-29017

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

@technorange can you file a new issue? this one is old and closed so we need a new one for a new vulnerability.