vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
References
Link | Resource |
---|---|
https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 | Vendor Advisory |
https://security.netapp.com/advisory/ntap-20230831-0007/ | Third Party Advisory |
https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 | Vendor Advisory |
https://security.netapp.com/advisory/ntap-20230831-0007/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 08:12
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - Vendor Advisory | |
References | () https://security.netapp.com/advisory/ntap-20230831-0007/ - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
01 Feb 2024, 13:46
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://security.netapp.com/advisory/ntap-20230831-0007/ - Third Party Advisory |
31 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Aug 2023, 12:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
01 Aug 2023, 01:51
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Vm2 Project
Vm2 Project vm2 |
|
CPE | cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* |
21 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-21 20:15
Updated : 2024-11-21 08:12
NVD link : CVE-2023-37903
Mitre link : CVE-2023-37903
CVE.ORG link : CVE-2023-37903
JSON object : View
Products Affected
vm2_project
- vm2
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')