vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host #144
Closed
1 of 4 tasks
Labels
Auto Create Issues
Label for Auto Created Issues
Critical
This label for Security Severity only
Security
Label for Security Issues
Milestone
Description
Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Severity Check
Severity Number
10 / 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weaknesses
CWE-913
CVE ID
CVE-2022-36067
GHSA ID
GHSA-mrgp-mrhc-5jrq
Information
Package
vm2 (npm)
Affected versions
< 3.9.11
Patched versions
3.9.11
References
GHSA-mrgp-mrhc-5jrq
https://nvd.nist.gov/vuln/detail/CVE-2022-36067
Sandbox Breakout in VM2 patriksimek/vm2#467
patriksimek/vm2@d9a7f3c#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
The text was updated successfully, but these errors were encountered: