CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23555 – Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23555
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine. El paquete vm2 versiones anteriores a 3.9.6, es vulnerable a una Omisión de Sandbox por medio del acceso directo a los objetos de error del host generados por los internos del nodo durante la generación de un stacktrace, lo que puede conllevar a una ejecución de código arbitrario en la máquina del host A flaw was found in vm2, where the sandbox can be bypassed via direct access to host error objects generated by node internals during the generation of stack traces. This flaw allows an attacker to execute arbitrary code on the host machine. • https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d https://snyk.io/vuln/SNYK-JS-VM2-2309905 https://access.redhat.com/security/cve/CVE-2021-23555 https://bugzilla.redhat.com/show_bug.cgi?id=2054114 • CWE-562: Return of Stack Variable Address •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23449 – Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23449
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. Esto afecta al paquete vm2 antes de la versión 3.9.4 a través de un vector de ataque de Prototipo de Contaminación, que puede llevar a la ejecución de código arbitrario en la máquina anfitriona • https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886 https://github.com/patriksimek/vm2/issues/363 https://github.com/patriksimek/vm2/releases/tag/3.9.4 https://security.netapp.com/advisory/ntap-20211029-0010 https://snyk.io/vuln/SNYK-JS-VM2-1585918 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •