SCA: security update for ses (GHSA-9c4h-3f7h-322r)

critical Tenable Cloud Security Plugin ID 413188

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In
version 0.18.0 prior to 0.18.7, 0.17.0 prior to 0.17.1, 0.16.0 prior to 0.16.1, 0.15.0 prior to 0.15.24,
0.14.0 prior to 0.14.5, an 0.13.0 prior to 0.13.5, there is a hole in the confinement of guest
applications under SES that may manifest as either the ability to exfiltrate information or execute
arbitrary code depending on the configuration and implementation of the surrounding host. Guest program
running inside a Compartment with as few as no endowments can gain access to the surrounding host’s
dynamic import by using dynamic import after the spread operator, like
`{...import(arbitraryModuleSpecifier)}`. On the web or in web extensions, a Content-Security-Policy
following ordinary best practices likely mitigates both the risk of exfiltration and execution of
arbitrary code, at least limiting the modules that the attacker can import to those that are already part
of the application. However, without a Content-Security-Policy, dynamic import can be used to issue HTTP
requests for either communication through the URL or for the execution of code reachable from that origin.
Within an XS worker, an attacker can use the host’s module system to the extent that the host has been
configured. This typically only allows access to module code on the host’s file system and is of limited
use to an attacker. Within Node.js, the attacker gains access to Node.js’s module system. Importing the
powerful builtins is not useful except insofar as there are side-effects and tempered because dynamic
import returns a promise. Spreading a promise into an object renders the promises useless. However,
Node.js allows importing data URLs, so this is a clear path to arbitrary execution. Versions 0.18.7,
0.17.1, 0.16.1, 0.15.24, 0.14.5, and 0.13.5 contain a patch for this issue. Some workarounds are
available. On the web, providing a suitably constrained Content-Security-Policy mitigates most of the
threat. With XS, building a binary that lacks the ability to load modules at runtime mitigates the
entirety of the threat. That will look like an implementation of `fxFindModule` in a file like
`xsPlatform.c` that calls `fxRejectModuleFile`. (CVE-2023-39532)

See Also

https://github.com/advisories/GHSA-9c4h-3f7h-322r

Plugin Details

Severity: Critical

ID: 413188

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-39532

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/9/2023

Vulnerability Publication Date: 8/8/2023

Reference Information

CVE: CVE-2023-39532

cwe: CWE-20