vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
References
Link | Resource |
---|---|
https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 | Exploit Third Party Advisory |
https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 | Patch Third Party Advisory |
https://github.com/patriksimek/vm2/issues/467 | Issue Tracking Third Party Advisory |
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq | Patch Third Party Advisory |
https://security.netapp.com/advisory/ntap-20221017-0002/ | Third Party Advisory |
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-09-06T00:00:00
Updated: 2022-10-17T00:00:00
Reserved: 2022-07-15T00:00:00
Link: CVE-2022-36067
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-09-06T22:15:09.207
Modified: 2022-11-08T03:03:23.473
Link: CVE-2022-36067
JSON object: View
Redhat Information
No data.
CWE