CVE-2023-29017

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d	Exploit
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50	Patch
https://github.com/patriksimek/vm2/issues/515	Exploit Issue Tracking
https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2023-04-06 20:15

Updated : 2024-02-28 20:13

NVD link : CVE-2023-29017

Mitre link : CVE-2023-29017

CVE.ORG link : CVE-2023-29017

JSON object : View

Products Affected

vm2_project

vm2

CWE

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2023-29017", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2023-04-06T20:15:08.723", "references": [{"url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", "tags": ["Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/patriksimek/vm2/issues/515", "tags": ["Exploit", "Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds."}], "lastModified": "2023-04-13T13:20:46.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "ADA32E89-C69C-4459-9515-D3F7B53EFCAE", "versionEndExcluding": "3.9.15"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}