CVE-2024-34347

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr

Configurations

No configuration.

History

21 Nov 2024, 09:18

Type	Values Removed	Values Added
Summary		(es) @hoppscotch/cli es una CLI para ejecutar scripts de prueba de Hoppscotch en entornos de CI. Antes de 0.8.0, el paquete @hoppscotch/js-sandbox proporciona un entorno limitado de Javascript que utiliza el módulo vm de Node.js. Sin embargo, el módulo vm no es seguro para el código Javascript que no es de confianza. Esto se debe a que el código dentro del contexto de la máquina virtual puede romperse si puede obtener cualquier referencia a un objeto creado fuera de la máquina virtual. En el caso de @hoppscotch/js-sandbox, se pasan múltiples referencias a objetos externos al contexto de la máquina virtual para permitir interacciones de scripts de solicitud previa con variables de entorno y más. Pero esto también permite que el script de solicitud previa escape del entorno limitado. Esta vulnerabilidad se solucionó en 0.8.0.
References	~~() https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01 -~~	() https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01 -
References	~~() https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr -~~	() https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr -

08 May 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-08 15:15

Updated : 2024-11-21 09:18

NVD link : CVE-2024-34347

Mitre link : CVE-2024-34347

CVE.ORG link : CVE-2024-34347

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

8.3 /10