Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host #144

Closed
1 of 4 tasks
TheKingTermux opened this issue Sep 28, 2022 · 0 comments · Fixed by #142
Closed
1 of 4 tasks

vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host #144

TheKingTermux opened this issue Sep 28, 2022 · 0 comments · Fixed by #142
Labels
Auto Create Issues Label for Auto Created Issues Critical This label for Security Severity only Security Label for Security Issues
Milestone
Alice 1.0.6

Comments

@TheKingTermux
Copy link
Owner

Description

Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Severity Check

  • Low
  • Moderate
  • High
  • Critical

Severity Number

10 / 10

CVSS base metrics

  • Attack vector
    Network

  • Attack complexity
    Low

  • Privileges required
    None

  • User interaction
    None

  • Scope
    Changed

  • Confidentiality
    High

  • Integrity
    High

  • Availability
    High

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

  • Weaknesses
    CWE-913

  • CVE ID
    CVE-2022-36067

  • GHSA ID
    GHSA-mrgp-mrhc-5jrq

Information

  • Package
    vm2 (npm)

  • Affected versions
    < 3.9.11

  • Patched versions
    3.9.11

References
@TheKingTermux TheKingTermux added Security Label for Security Issues Auto Create Issues Label for Auto Created Issues labels Sep 28, 2022
@TheKingTermux TheKingTermux mentioned this issue Sep 28, 2022
Merged
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 30, 2022
@TheKingTermux TheKingTermux added the Critical This label for Security Severity only label May 9, 2023
@TheKingTermux TheKingTermux added this to the Alice 1.0.6 milestone Jun 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Auto Create Issues Label for Auto Created Issues Critical This label for Security Severity only Security Label for Security Issues
Projects
None yet
Milestone
Alice 1.0.6
Development

Successfully merging a pull request may close this issue.

chore(deps): update dependency vm2 to 3.9.11 [security] TheKingTermux/alice
1 participant
@TheKingTermux