CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-29199 – vm2 Sandbox escape vulnerability
https://notcve.org/view.php?id=CVE-2023-29199
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`. A flaw was found in the vm2 sandbox. When exception handling is triggered, the sanitization logic is not managed with proper exception handling. • https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7 https://github.com/patriksimek/vm2/issues/516 https://github.com/patriksimek/vm2/releases/tag/3.9.16 https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985 https://access.redhat.com/security/cve/CVE-2023-29199 https://bugzilla.redhat.com/show_bug.cgi?id=2187409 • CWE-755: Improper Handling of Exceptional Conditions CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 4CVE-2023-29017 – vm2 Sandbox Escape vulnerability
https://notcve.org/view.php?id=CVE-2023-29017
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds. • https://github.com/timb-machine-mirrors/seongil-wi-CVE-2023-29017 https://github.com/passwa11/CVE-2023-29017-reverse-shell https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 https://github.com/patriksimek/vm2/issues/515 https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv https://access.redhat.com/security/cve/CVE-2023-29017 https://bugzilla.redhat.com/show_bug.cgi?id=2185374 • CWE-755: Improper Handling of Exceptional Conditions CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-25893 – Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2022-25893
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise. El paquete vm2 anterior a 3.9.10 es vulnerable a la ejecución de código arbitrario debido al uso de la búsqueda de prototipos para el método WeakMap.prototype.set. La explotación de esta vulnerabilidad conduce al acceso a un objeto host y a un compromiso de la sandbox. • https://github.com/patriksimek/vm2/issues/444 https://github.com/patriksimek/vm2/pull/445 https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69 https://security.snyk.io/vuln/SNYK-JS-VM2-2990237 •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 4CVE-2022-36067 – vm2 vulnerable to Sandbox Escape before v3.9.11
https://notcve.org/view.php?id=CVE-2022-36067
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds. vm2 es un sandbox que puede ejecutar código no confiable con los módulos incorporados de Node en la lista blanca. En versiones anteriores a 3.9.11, un actor de la amenaza puede omitir las protecciones del sandbox para conseguir derechos de ejecución de código remoto en el host que ejecuta el sandbox. • https://github.com/Prathamrajgor/Exploit-For-CVE-2022-36067 https://github.com/0x1nsomnia/CVE-2022-36067-vm2-POC-webapp https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 https://github.com/patriksimek/vm2/issues/467 https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq https://security.netapp.com/advisory/ntap-20221017-0002 https:/&#x • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2019-10761 – Sandbox Bypass
https://notcve.org/view.php?id=CVE-2019-10761
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code. Esto afecta al paquete vm2 versiones anteriores a 3.6.11. Es posible desencadenar una excepción RangeError desde el host y no desde el contexto "sandboxed" alcanzando el límite de llamadas de la pila con una recursión infinita. • https://github.com/ossf-cve-benchmark/CVE-2019-10761 https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90 https://github.com/patriksimek/vm2/issues/197 https://snyk.io/vuln/SNYK-JS-VM2-473188 • CWE-674: Uncontrolled Recursion •