Headline
CVE-2023-27562: Releases · n8n-io/n8n
The n8n package 0.218.0 for Node.js allows Directory Traversal.
Changes (2023-05-03)****Bug Fixes
- core: Fix bug running addUserActivatedColumn migration on MariaDB (#6157) (aa8e96d)
Changes (2023-05-03)****Bug Fixes
- AWS S3 Node: Fix File upload, and add node tests (#6153) (deb4c04)
- Compression Node: Fix issue with decompression failing with uppercase extensions (#6098) (aa59329)
- core: Account for nodes with renamable content (#6109) (c99f158)
- core: Assign Unknown Error only if message or description not present in error (8aedc03)
- core: Avoid using Object.keys on Buffer and other non-plain objects (#6131) (a3aba83)
- core: Better error message in Webhook node when using the POST method (a0dd17e)
- core: Better errors for common status codes fix (700cc39)
- core: Fix hasOwnProperty on augmented objects (#6124) (206b6b9)
- core: Fix bug running addUserActivatedColumn migration on MariaDB (#6157) (570790e)
- core: Fix canceled execution status (#6142) (839a56a)
- core: Improve saml endpoints and audit events (#6107) (c0b1cdd)
- core: Remove SAML config metadataUrl if XML metadata is set directly (#6143) (25fe14b)
- core: Skip auth for controllers/routes that don’t use the Authorized decorator, or use Authorized(‘none’) (#6106) (59aee22)
- Correctly allow sharees to test credential when opening the modal (#6111) (2e73f4a)
- Date & Time Node: Numbers conversions fix (14f7114)
- editor: Change execution list tab loader design (#6120) (188ef04)
- editor: Disable changing of email and pw when SAML login enabled (#6104) (3e9ecd9)
- editor: Fix Show details summary (#6113) (90a62cc)
- editor: Fix copy selection behavior (#6112) (1607aeb)
- editor: Fix cropped off completions docstrings (#6129) (85e8145)
- editor: Fix focus jumping when using chrome autofill (#6140) (c63181b)
- editor: Fix missing Stop Listening button (#6125) (20a72bb)
- editor: Fix quote handling on dollar-sign variable completions (#6128) (51f5990)
- editor: Fix sidebar button styling (#6138) (a72a511)
- editor: Fix unique names for node duplication (#6134) (71ae6c6)
- editor: Fix unscrollable node settings (#6133) (c8ff368)
- editor: Loading state for executions tab (#6100) (4cbb05b)
- editor: Remove pagination from binary data output (#6093) (c6e665a)
- editor: Restrict [empty] in parameter input hint to zero-length string (#6003) (8862e1e)
- editor: Show error in RLC if credentials are not set (#6108) (2c240a0)
- HTTP Request Node: Add description for ‘Specify Body’ option (#6114) (af097ae)
- HTTP Request Node: Always lowercase headers (983e6e1)
- Mattermost Node: Fix base url trailing slash error (#6097) (25a386d)
- Merge Node: Do not error if expected key is missing (d219af7)
- Prevent displaying an endless timer in the execution list for finished executions (#6137) (701105e)
- Prevent invocations of ‘GET /rest/license’ from returning an error when ephemeral licenses are used (#6154) (a3d26ef)
- Slack Node: Restore ability to send text in addition of blocks or attachments (8669f95)
Features
- core: Add notice to alert users a new version is available (cb497fb)
- editor: Add support for loadOptionsDependsOn to RLC (#6101) (b17d5f9)
- editor: Add version controls settings (WIP) (#6036) (0c9ce3a)
- Item Lists Node: Split out items work on objects as well as arrays (c65ac03)
- Microsoft Excel 365 Node: Overhaul (5364a2d)
Changes (2023-05-02)****Bug Fixes
- Compression Node: Fix issue with decompression failing with uppercase extensions (#6098) (7136500)
- core: Account for nodes with renamable content (#6109) (b561d46)
- core: Fix hasOwnProperty on augmented objects (#6124) (2f015c0)
- core: Fix canceled execution status (#6142) (1796101)
- core: Skip auth for controllers/routes that don’t use the Authorized decorator, or use Authorized(‘none’) (#6106) (9d44991)
- Correctly allow sharees to test credential when opening the modal (#6111) (240bb47)
- Date & Time Node: Numbers conversions fix (e11e7cd)
- editor: Change execution list tab loader design (#6120) (ffc033f)
- editor: Fix Show details summary (#6113) (e12bafb)
- editor: Fix copy selection behavior (#6112) (0efd94a)
- editor: Fix cropped off completions docstrings (#6129) (06594cc)
- editor: Fix missing Stop Listening button (#6125) (dcbd2d2)
- editor: Fix quote handling on dollar-sign variable completions (#6128) (c23ad35)
- editor: Fix sidebar button styling (#6138) (d3f4bc1)
- editor: Fix unique names for node duplication (#6134) (48a4068)
- editor: Fix unscrollable node settings (#6133) (f762f16)
- editor: Loading state for executions tab (#6100) (2e12c50)
- editor: Remove pagination from binary data output (#6093) (7b7d9de)
- editor: Show error in RLC if credentials are not set (#6108) (5bf3400)
- HTTP Request Node: Add description for ‘Specify Body’ option (#6114) (69b6ba8)
- HTTP Request Node: Always lowercase headers (31c56a1)
- Mattermost Node: Fix base url trailing slash error (#6097) (788fda1)
- Merge Node: Do not error if expected key is missing (8b59564)
- Prevent displaying an endless timer in the execution list for finished executions (#6137) (2672896)
- Slack Node: Restore ability to send text in addition of blocks or attachments (625d672)
Changes (2023-04-26)****Bug Fixes
- Code Node: Update vm2 to address CVE-2023-30547 (#6039) (8268f23)
- core: Improve domain and url matching for extractDomain and extractUrl (#6010) (33fb732)
- core: Serialize dates and regexps when reading from augmented objects (#6086) (a4eb46a)
- core: Skip license activation when instance was already activated (#6064) (eaf7090)
- editor: Clean up demo and template callouts from workflows page (#6023) (4ee5083)
- editor: Fix memory leak in Node Detail View by correctly unsubscribing from event buses (#6021) (0970ec0)
- editor: Fix typo in SSO upgrade link (#6031) (9b59f1d)
- editor: Resolve expressions for grandparent nodes (#5859) (a19d444)
- editor: SettingsSidebar should disconnect from push when navigating away (#6025) (41660d9)
- editor: Update LDAP and Log streaming paywalls (#6069) (8a3b3e5)
- editor: Update SSO upgrade link (#6016) (953198e)
- Notion Node: Update credential test to not require user permissions (#6022) (a68330f)
Features
- core: Add license:info command (#6047) (ab12d3e)
- core: Add SSH key generation (#6006) (71ed1f4)
- core: Add support for digestAuth to httpRequest and declarative style (#5676) (62f993c)
- core: Manage version control settings (#6079) (f3b4701)
- core: Upgrade google-timezones-json to use the correct timezone for Sao Paulo (#6042) (b8cb5d7), closes #2647
- editor: Add disable template experiment (#5963) (a74284b)
- editor: Add SQL editor support (#5517) (70aaf24)
- editor: Enhance Node Creator actions view (#5954) (390841b)
- editor: Version control (WIP) (#6013) (0e0a064)
- editor: Version control paywall (WIP) (#6030) (ef79b03)
- Google BigQuery Node: Node improvements (#4877) (9817a15)
Changes (2023-04-20)****Bug Fixes
- editor: Clean up demo and template callouts from workflows page (#6023) (6ec1c45)
- editor: Fix memory leak in Node Detail View by correctly unsubscribing from event buses (#6021) (1b9e047)
- editor: SettingsSidebar should disconnect from push when navigating away (#6025) (e9f8cfe)
- Notion Node: Update credential test to not require user permissions (#6022) (6d02ae5)
Changes (2023-04-20)****Bug Fixes
- core: Fix paired item returning wrong data (#5898) (2a45441)
- core: Make getExecutionId available on all nodes types (#5990) (8373aab)
- editor: Fix memory leak in Node Detail View by correctly unsubscribing from event buses (#6021) (d8fce5b)
- editor: Fix moving canvas on middle click preventing lasso selection (#5996) (a7a5778)
- editor: SettingsSidebar should disconnect from push when navigating away (#6025) (b475c8f)
- Google Sheets Trigger Node: Return actual error message (5e59141)
- HTTP Request Node: Fix itemIndex in HTTP Request errors (#5991) (4a521a4)
- Notion Node: Update credential test to not require user permissions (#6022) (14c9b5e)
Changes (2023-04-19)****Bug Fixes
- core: Fix broken API permissions in public API (#5978) (49d838f)
- core: Fix paired item returning wrong data (#5898) (b13b7d7)
- core: Improve SAML connection test result views (#5981) (4c994fa)
- core: Make getExecutionId available on all nodes types (#5990) (c42820e)
- core: Skip SAML onboarding for users with first- and lastname (#5966) (8474cd3)
- editor: Add padding to prepend input (#5874) (cd89489)
- editor: Cleanup demo/video experiment (#5974) (c171365)
- editor: Enterprise features missing with UM (#5995) (f9a810a)
- editor: Fix moving canvas on middle click preventing lasso selection (#5996) (3c2a569)
- editor: Make sure to redirect to blank canvas after personalization modal (#5980) (7c474d3)
- editor: Only treat as CTRL pressed by default on touch devices for MouseEvent (#5968) (536d810)
- editor: Fix n8n-checkbox alignment (#6004) (f544826)
- Code Node: Consistently handle various kinds of data returned by user code (#6002) (f9b3aea)
- Github Trigger Node: Remove content_reference event (#5830) (d288a91)
- Google Sheets Trigger Node: Return actual error message (ba5b4eb)
- HTTP Request Node: Fix itemIndex in HTTP Request errors (#5991) (b351c62)
- NocoDB Node: Fix for updating or deleting rows with not default primary keys (ee7f863)
- OpenAI Node: Update models to only show those supported (#5805) (29959be)
- OpenAI Node: Update OpenAI Text Moderate input placeholder text (#5823) (6b9909b)
Features
- core: Add variables feature (#5602) (1bb9871)
- core: Add versionControl feature flag (#6000) (33299ca)
- core: Support for google service account in HTTP node (0b48088)
- editor: Add Ask AI preview (#5916) (f8f8374)
- GitLab Node: Add Additional parameters for File List (#5621) (3810039)
- MySQL Node: Overhaul (0a53c95)
Changes (2023-04-14)****Bug Fixes
- core: Fix broken API permissions in public API (#5978) (f4be887)
- editor: Only treat as CTRL pressed by default on touch devices for MouseEvent (#5968) (57af90f)
- editor: Update vite legacy-plugin browser target (no-changelog) (#5952) (f565b16)
Related news
The n8n package prior to version 0.216.1 for Node.js allows Directory Traversal.
Red Hat Security Advisory 2023-1894-01 - Multicluster Engine for Kubernetes 2.1 hotfix security update for console. Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-1897-01 - Red Hat Advanced Cluster Management for Kubernetes hotfix security update for console. Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-1896-01 - Red Hat Advanced Cluster Management for Kubernetes hotfix security update for console. Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.17` of `vm2`. ### Workarounds None. ### References PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244 ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.
Red Hat Advanced Cluster Management for Kubernetes hotfix security update for console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for ve...
Red Hat Advanced Cluster Management for Kubernetes hotfix security update for console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for ve...
Multicluster Engine for Kubernetes 2.1 hotfix security update for console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to...
A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections. Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs, which allow
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.