CVE-2022-36067
10.0CRITICALvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execut
Опубликовано: 9/6/2022Обновлено: 11/21/2024
Описание
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
ИИ-АнализНа базе ИИ
Затронутые продукты
vm2_projectvm2
Ссылки
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory