CVE-2022-36067
10.0CRITICALvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execut
Publicado: 9/6/2022Actualizado: 11/21/2024
Descripción
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
Análisis IAImpulsado por IA
Productos Afectados
vm2_projectvm2
Referencias
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory