Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yMnJyLWYzcDgtNWdmOM4AA15b
Directus affected by VM2 sandbox escape vulnerability
Impact
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context.
Patches
Patched in v10.6.0 by replacing vm2 with isolated-vm
Workarounds
None
References
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
Permalink: https://github.com/advisories/GHSA-22rr-f3p8-5gf8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMnJyLWYzcDgtNWdmOM4AA15b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-22rr-f3p8-5gf8
References:
- https://github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
- https://github.com/directus/directus/pull/19332
- https://github.com/directus/directus/commit/284156426fa94f688e8d65a7a4f34f9e6705f058
- https://github.com/advisories/GHSA-22rr-f3p8-5gf8
Blast Radius: 15.9
Affected Packages
npm:directus
Dependent packages: 16Dependent repositories: 115
Downloads: 36,483 last month
Affected Version Ranges: < 10.6.0
Fixed in: 10.6.0
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3
All unaffected versions: 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7, 10.11.0, 10.11.1, 10.11.2, 10.12.0, 10.12.1, 10.13.0, 10.13.1, 10.13.2, 10.13.4, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.1.2, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.4.0