Bug 2245102 (CVE-2023-45133)

Summary: CVE-2023-45133 babel: arbitrary code execution
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: boliveir, chazlett, drichtar, jcantril, lbalhar, magaphon, mulliken, pdrozd, peholase, pjindal, pskopek, rlavi, rowaters, sthorger
Target Milestone: ---Keywords: Security, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: babel 8.0.0-alpha.4, babel 7.23.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the babel package. Using certain plugins with Babel code could lead to arbitrary code execution. This issue could allow a remote attacker to craft code and then trick the user into compiling it.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253442, 2253443, 2253444, 2245106, 2245108, 2245109, 2245111, 2245112, 2245113, 2245114, 2245115, 2245116, 2245117, 2245118, 2245119, 2245120, 2245121, 2245122, 2245123, 2245124, 2245125, 2245126, 2245127, 2245128, 2245129, 2245130, 2245131, 2245132, 2245133, 2245134, 2245135, 2245136, 2245137, 2245138, 2245139, 2253445, 2253446, 2253447, 2253448, 2253449, 2253450, 2253451, 2253452, 2253453, 2253510, 2254202, 2254203    
Bug Blocks: 2245103    

Description Nick Tait 2023-10-19 18:47:09 UTC 
Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse.2` and `@babel/traverse.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
https://github.com/babel/babel/pull/16033
https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
https://github.com/babel/babel/releases/tag/v7.23.2
https://www.debian.org/security/2023/dsa-5528
https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html

via http://localhost:5600/static/?#/asm_ticket/101801
Comment 5 Avinash Hanwate 2023-12-07 13:56:24 UTC 
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2253445]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2253446]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2253442]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2253447]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2253443]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2253448]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2253449]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2253450]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2253444]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2253451]


Created onnxruntime tracking bugs for this issue:

Affects: fedora-all [bug 2253452]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2253453]