CVE-2023-32314 - OpenCVE

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Vm2 Project	Vm2

Configuration 1 [-]

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac	Exploit Third Party Advisory
https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf	Patch
https://github.com/patriksimek/vm2/releases/tag/3.9.18	Release Notes
https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-15T19:46:32.834Z

Updated: 2023-05-15T19:46:32.834Z

Reserved: 2023-05-08T13:26:03.878Z

Link: CVE-2023-32314

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-15T20:15:09.177

Modified: 2023-05-24T20:50:46.247

Link: CVE-2023-32314

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-32314", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-08T13:26:03.878Z", "datePublished": "2023-05-15T19:46:32.834Z", "dateUpdated": "2023-05-15T19:46:32.834Z"}, "containers": {"cna": {"title": "Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5"}, {"name": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf"}, {"name": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac", "tags": ["x_refsource_MISC"], "url": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac"}, {"name": "https://github.com/patriksimek/vm2/releases/tag/3.9.18", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.9.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-15T19:46:32.834Z"}, "descriptions": [{"lang": "en", "value": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-whpj-8f3w-67p5", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "80ED3198-E3DA-4ACD-883B-10CDB835BA33", "versionEndExcluding": "3.9.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2023-32314", "lastModified": "2023-05-24T20:50:46.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-15T20:15:09.177", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}