GHSA-mrgp-mrhc-5jrq

Source

https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-mrgp-mrhc-5jrq/GHSA-mrgp-mrhc-5jrq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mrgp-mrhc-5jrq

Aliases

CVE-2022-36067

Related

CVE-2022-36067

Published

2022-09-28T13:09:01Z

Modified

2023-11-08T04:09:59.397193Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

Details

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.11 of vm2

Workarounds

None.

References

Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

For more information

If you have any questions or comments about this advisory: * Open an issue in VM2

Database specific

{
    "github_reviewed_at": "2022-09-28T13:09:01Z",
    "cwe_ids": [
        "CWE-913"
    ],
    "nvd_published_at": "2022-09-06T22:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

npm / vm2

Package

Name: vm2; View open source insights on deps.dev
Purl: pkg:npm/vm2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9.11