{
  "threat_severity" : "Moderate",
  "public_date" : "2023-05-15T00:00:00Z",
  "bugzilla" : {
    "description" : "vm2: Inspect Manipulation",
    "id" : "2208377",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2208377"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-915",
  "details" : [ "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.", "A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem." ],
  "acknowledgement" : "Red Hat would like to thank Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/console-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32313\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32313\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v" ],
  "name" : "CVE-2023-32313",
  "mitigation" : {
    "value" : "After creating a vm, make the inspect method readonly with vm.readonly(inspect).",
    "lang" : "en:us"
  },
  "csaw" : false
}