CVE-2024-34347

@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE

Severity Score

8.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.

@hoppscotch/cli es una CLI para ejecutar scripts de prueba de Hoppscotch en entornos de CI. Antes de 0.8.0, el paquete @hoppscotch/js-sandbox proporciona un entorno limitado de Javascript que utiliza el módulo vm de Node.js. Sin embargo, el módulo vm no es seguro para el código Javascript que no es de confianza. Esto se debe a que el código dentro del contexto de la máquina virtual puede romperse si puede obtener cualquier referencia a un objeto creado fuera de la máquina virtual. En el caso de @hoppscotch/js-sandbox, se pasan múltiples referencias a objetos externos al contexto de la máquina virtual para permitir interacciones de scripts de solicitud previa con variables de entorno y más. Pero esto también permite que el script de solicitud previa escape del entorno limitado. Esta vulnerabilidad se solucionó en 0.8.0.

*Credits: N/A

CVSS Scores

GitHubv3.1 8.3

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-02 CVE Reserved
2024-05-08 CVE Published
2024-05-09 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01	X_refsource_misc
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hoppscotch Search vendor "Hoppscotch"		Hoppscotch Search vendor "Hoppscotch" for product "Hoppscotch"				>= 0.5.0 < 0.8.0 Search vendor "Hoppscotch" for product "Hoppscotch" and version " >= 0.5.0 < 0.8.0"		en		Affected