Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Status regarding CVE-2022-39266 #379

Closed
mehradn7 opened this issue Jul 25, 2023 · 7 comments
Closed

Status regarding CVE-2022-39266 #379

mehradn7 opened this issue Jul 25, 2023 · 7 comments

Comments

@mehradn7
Copy link

Hello,

What is the status of isolated-vm regarding CVE-2022-39266?

The GitHub advisory states that versions up to 4.3.6 are vulnerable but does not mention any patched version.

Is the latest version of isolated-vm (4.6.0 at the time of writing) vulnerable to CVE-2022-39266?

Thanks.
@laverdet
Copy link
Owner

Hi the issue was one of documentation. 218e87a is the commit that "fixed" the issue.

@mehradn7
Copy link
Author

Hi @laverdet, thanks for the answer. If the cachedData option is not enabled by default, then one could expect the CVE to be marked as fixed in GitHub Advisory Database (and other CVE databases), it is strange that it's not the case, as all security scanning tools may mark this CVE as "not patched".

@moisesfemsa
Copy link

you can check about it here Snyk scan marked as not patchable

@mehradn7
Copy link
Author

mehradn7 commented Jul 27, 2023
edited

you can check about it here Snyk scan marked as not patchable

It is marked as not patched ("there is no fixed version", similar to GitHub Advisory), which is quite different from not patchable.

@github-actions github-actions bot mentioned this issue Jul 31, 2023
Closed
@hedgehog80
Copy link

hedgehog80 commented Aug 23, 2023
edited

Hello @laverdet advisory in this case has no 'Patched version' specified

GHSA-2jjq-x548-rhpv

and it looks like because of this it listed in SNYK advisory database as active

https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320

while
https://nvd.nist.gov/vuln/detail/CVE-2022-39266

does not

if readme change here 218e87a "fixed" the issue please update advisory you published in github with 4.3.7 as 'Patched version' so people could use isolated-vm with their projects without rising red flags from security people

As I understand advisory in question is about lack of guidance for improper use-case with users supplying cached data which is there now so it is fixed right? This existing severe vulnerability in all advisory databases is really confusing, because it is like with latest version of nodejs - it goes have exec() option which could be used with insecure code and there is guidance on avoiding it but still they don't list every version of nodejs itself as vulnerable right?

Please update CVE-2022-39266 to sort this out.

Thank You!

@hedgehog80 hedgehog80 mentioned this issue Aug 23, 2023
Merged
@hedgehog80
Copy link

https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320

looks correct now - versions < 4.3.7 affected

Thank You @laverdet !

I guess it is Ok to close this issue now, @mehradn7 what do you think?

@mehradn7
Copy link
Author

mehradn7 commented Aug 26, 2023
edited

Hi, indeed it seems that NVD, GHSA and Snyk updated their database, so the ticket can be closed.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@laverdet @hedgehog80 @mehradn7 @moisesfemsa