CVE-2023-26919: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

April 10, 2023 (updated April 14, 2023)

delight-nashorn-sandbox 0.2.4 and 0.2.5 is vulnerable to sandbox escape. When allowExitFunctions is set to false, the loadWithNewGlobal function can be used to invoke the exit and quit methods to exit the Java process.

References

github.com/javadelight/delight-nashorn-sandbox/issues/135
nvd.nist.gov/vuln/detail/CVE-2023-26919

Detect and mitigate CVE-2023-26919 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →