laverdet
commented
1 year ago Hi the issue was one of documentation. 218e87a6d4e8cb818bea76d1ab30cd0be51920e8 is the commit that "fixed" the issue.
Closed mehradn7 closed 1 year ago
laverdet
commented
1 year ago Hi the issue was one of documentation. 218e87a6d4e8cb818bea76d1ab30cd0be51920e8 is the commit that "fixed" the issue.
mehradn7
commented
1 year ago Hi @laverdet, thanks for the answer. If the cachedData option is not enabled by default, then one could expect the CVE to be marked as fixed in GitHub Advisory Database (and other CVE databases), it is strange that it's not the case, as all security scanning tools may mark this CVE as "not patched".
moisesfemsa
commented
1 year ago you can check about it here Snyk scan marked as not patchable
mehradn7
commented
1 year ago you can check about it here Snyk scan marked as not patchable
It is marked as not patched ("there is no fixed version", similar to GitHub Advisory), which is quite different from not patchable.
hedgehog80
commented
1 year ago Hello @laverdet advisory in this case has no 'Patched version' specified
https://github.com/advisories/GHSA-2jjq-x548-rhpv
and it looks like because of this it listed in SNYK advisory database as active
https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320
while https://nvd.nist.gov/vuln/detail/CVE-2022-39266
does not
if readme change here https://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8 "fixed" the issue please update advisory you published in github with 4.3.7 as 'Patched version' so people could use isolated-vm with their projects without rising red flags from security people
As I understand advisory in question is about lack of guidance for improper use-case with users supplying cached data which is there now so it is fixed right? This existing severe vulnerability in all advisory databases is really confusing, because it is like with latest version of nodejs - it goes have exec() option which could be used with insecure code and there is guidance on avoiding it but still they don't list every version of nodejs itself as vulnerable right?
Please update CVE-2022-39266 to sort this out.
Thank You!
hedgehog80
commented
1 year ago https://security.snyk.io/vuln/SNYK-JS-ISOLATEDVM-3037320
looks correct now - versions < 4.3.7 affected
Thank You @laverdet !
I guess it is Ok to close this issue now, @mehradn7 what do you think?
mehradn7
commented
1 year ago Hi, indeed it seems that NVD, GHSA and Snyk updated their database, so the ticket can be closed. Thanks!
Hello,
What is the status of isolated-vm regarding CVE-2022-39266?
The GitHub advisory states that versions up to 4.3.6 are vulnerable but does not mention any patched version.
Is the latest version of isolated-vm (4.6.0 at the time of writing) vulnerable to CVE-2022-39266?
Thanks.