New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status regarding CVE-2022-39266 #379
Comments
Hi the issue was one of documentation. 218e87a is the commit that "fixed" the issue. |
Hi @laverdet, thanks for the answer. If the cachedData option is not enabled by default, then one could expect the CVE to be marked as fixed in GitHub Advisory Database (and other CVE databases), it is strange that it's not the case, as all security scanning tools may mark this CVE as "not patched". |
you can check about it here Snyk scan marked as not patchable |
It is marked as not patched ("there is no fixed version", similar to GitHub Advisory), which is quite different from not patchable. |
Hello @laverdet advisory in this case has no 'Patched version' specified and it looks like because of this it listed in SNYK advisory database as active https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320 while does not if readme change here 218e87a "fixed" the issue please update advisory you published in github with 4.3.7 as 'Patched version' so people could use isolated-vm with their projects without rising red flags from security people As I understand advisory in question is about lack of guidance for improper use-case with users supplying cached data which is there now so it is fixed right? This existing severe vulnerability in all advisory databases is really confusing, because it is like with latest version of nodejs - it goes have exec() option which could be used with insecure code and there is guidance on avoiding it but still they don't list every version of nodejs itself as vulnerable right? Please update CVE-2022-39266 to sort this out. Thank You! |
https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320 looks correct now - versions < 4.3.7 affected Thank You @laverdet ! I guess it is Ok to close this issue now, @mehradn7 what do you think? |
Hi, indeed it seems that NVD, GHSA and Snyk updated their database, so the ticket can be closed. |
Hello,
What is the status of isolated-vm regarding CVE-2022-39266?
The GitHub advisory states that versions up to 4.3.6 are vulnerable but does not mention any patched version.
Is the latest version of isolated-vm (4.6.0 at the time of writing) vulnerable to CVE-2022-39266?
Thanks.
The text was updated successfully, but these errors were encountered: