CVE-2021-21413

Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a Reference instance to an attacker they would be able to use it to acquire a Reference to the nodejs context's Function object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. This is addressed in v4.0.0 through a series of related changes.

isolated-vm es una biblioteca para nodejs que le da acceso a la interfaz Isolate de v8. Las versiones de isolated-vm anteriores a v4.0.0 presentan unas limitaciones de la API que puede facilitar a implementadores una exposición de supuestos aislamientos seguros para los permisos del aislamiento de nodejs principal. Los objetos de referencia permiten el acceso a la cadena de prototipos completa de la referencia subyacente. En un entorno donde el implementador ha expuesto una instancia de Referencia a un atacante, podría ser capaz de usarla para adquirir una Referencia al objeto de Función del contexto de nodejs. Se podrían realizar ataques específicos de aplicaciones similares al modificar el prototipo local de otros objetos API. Un acceso a los objetos NativeModule podría permitir a un atacante cargar y ejecutar código nativo desde cualquier lugar del sistema de archivos. Si es combinado con, por ejemplo, una API de carga de archivos, esto permitiría una ejecución de código arbitrario. Esto es abordado en versión v4.0.0 mediante una serie de cambios relacionados.

*Credits: N/A

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-03-30 CVE Published
2024-03-05 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-913: Improper Control of Dynamically-Managed Code Resources

CAPEC

References (4)

URL	Tag	Source
https://github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400	Release Notes
https://github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15	2021-04-07
https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704	2021-04-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Isolated-vm Project Search vendor "Isolated-vm Project"		Isolated-vm Search vendor "Isolated-vm Project" for product "Isolated-vm"				< 4.0.0 Search vendor "Isolated-vm Project" for product "Isolated-vm" and version " < 4.0.0"		node.js		Affected