CVE-2024-34347

EPSS 0.12%
Veröffentlicht 08.05.2024 15:15:11
Zuletzt bearbeitet 10.06.2025 16:15:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerhoppscotch

≫

Produkt hoppscotch

Default Statusunknown

Version < 0.8.0

Version 0.5.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.323

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.3	1.6	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr

https://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2

https://nvd.nist.gov/vuln/detail/CVE-2024-34347

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-34347

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-34347

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-34347