CVE-2021-23555
Sandbox Bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
El paquete vm2 versiones anteriores a 3.9.6, es vulnerable a una Omisión de Sandbox por medio del acceso directo a los objetos de error del host generados por los internos del nodo durante la generación de un stacktrace, lo que puede conllevar a una ejecución de código arbitrario en la máquina del host
A flaw was found in vm2, where the sandbox can be bypassed via direct access to host error objects generated by node internals during the generation of stack traces. This flaw allows an attacker to execute arbitrary code on the host machine.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-08 CVE Reserved
- 2022-02-11 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- 2024-10-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-562: Return of Stack Variable Address
CAPEC
References (4)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://snyk.io/vuln/SNYK-JS-VM2-2309905 | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d | 2022-02-22 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2021-23555 | 2022-05-03 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2054114 | 2022-05-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vm2 Project Search vendor "Vm2 Project" | Vm2 Search vendor "Vm2 Project" for product "Vm2" | < 3.9.6 Search vendor "Vm2 Project" for product "Vm2" and version " < 3.9.6" | node.js |
Affected
|