CVE-2022-36067
10.0CRITICALvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execut
Published: 9/6/2022Updated: 11/21/2024
Description
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
AI AnalysisPowered by AI
Affected Products
vm2_projectvm2
References
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory