描述
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
AI分析AI驱动
受影响产品
vm2_projectvm2
参考资料
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164PatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory