CVE-2023-29017 - OpenCVE

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Vm2 Project	Vm2

Configuration 1 [-]

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d	Exploit
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50	Patch
https://github.com/patriksimek/vm2/issues/515	Exploit Issue Tracking
https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-06T19:18:34.243Z

Updated: 2023-04-06T19:18:34.243Z

Reserved: 2023-03-29T17:39:16.144Z

Link: CVE-2023-29017

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-04-06T20:15:08.723

Modified: 2023-04-13T13:20:46.003

Link: CVE-2023-29017

JSON object: View

Redhat Information

No data.

CWE

CWE-913

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-29017", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-29T17:39:16.144Z", "datePublished": "2023-04-06T19:18:34.243Z", "dateUpdated": "2023-04-06T19:18:34.243Z"}, "containers": {"cna": {"title": "vm2 Sandbox Escape vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-913", "lang": "en", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv"}, {"name": "https://github.com/patriksimek/vm2/issues/515", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/issues/515"}, {"name": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50"}, {"name": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", "tags": ["x_refsource_MISC"], "url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.9.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-06T19:18:34.243Z"}, "descriptions": [{"lang": "en", "value": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds."}], "source": {"advisory": "GHSA-7jxr-cg7f-gpgv", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ADA32E89-C69C-4459-9515-D3F7B53EFCAE", "versionEndExcluding": "3.9.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds."}], "id": "CVE-2023-29017", "lastModified": "2023-04-13T13:20:46.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-06T20:15:08.723", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/patriksimek/vm2/issues/515"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-913"}], "source": "security-advisories@github.com", "type": "Primary"}]}