Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2023–45311 #56

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2023–45311 #56

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Jan 29, 2024

CVE–2023–45311

Vulnerability details

Description

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

GitHub

Code injection in fsevents

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

NVD

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

GitLab Advisory Database (Open Source Edition)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    Code injection in fsevents · CVE-2023-45311 · GitHub Advisory Database · GitHub
    NVD - CVE-2023-45311
    npm/fsevents/CVE-2023-45311.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    authr/ts/package-lock.json at 3f6129d97d06e61033a7f237d84e35e678db490f · cloudflare/authr · GitHub
    Comparing v1.2.10...v1.2.11 · fsevents/fsevents · GitHub
    hugo-cloudflare-docs/package-lock.json at e0f7cfa195af8ef1bfa51a487be7d34ba298ed06 · cloudflare/hugo-cloudflare-docs · GitHub
    redux-grim/package-lock.json at b652f99f95fb16812336073951adc5c5a93e2c23 · cloudflare/redux-grim · GitHub
    moo/package-lock.json at 56ccbdd41b493332bc2cd7a4097a5802594cdb9c · atlassian/moo · GitHub
    Release v1.2.11 · fsevents/fsevents@909af26 · GitHub
    react-immutable-proptypes/package-lock.json at ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd · atlassian/react-immutable-proptypes · GitHub
    serverless-cloudflare-workers/package-lock.json at e95e1e9c9770ed9a3d9480c1fa73e64391268354 · cloudflare/serverless-cloudflare-workers · GitHub
    Exposure of Resource to Wrong Sphere in fsevents | CVE-2023-45311 | Snyk
    404 when downloading precompiled binaries · Issue #357 · fsevents/fsevents · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants