CVE-2023-37903

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
Configurations

Configuration 1 (hide)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 08:12

Type Values Removed Values Added
References () https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - Vendor Advisory () https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - Vendor Advisory
References () https://security.netapp.com/advisory/ntap-20230831-0007/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20230831-0007/ - Third Party Advisory
CVSS v2 : unknown
v3 : 10.0
v2 : unknown
v3 : 9.8

01 Feb 2024, 13:46

Type Values Removed Values Added
References (MISC) https://security.netapp.com/advisory/ntap-20230831-0007/ - (MISC) https://security.netapp.com/advisory/ntap-20230831-0007/ - Third Party Advisory

31 Aug 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230831-0007/ -

01 Aug 2023, 12:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 10.0

01 Aug 2023, 01:51

Type Values Removed Values Added
References (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
First Time Vm2 Project
Vm2 Project vm2
CPE cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

21 Jul 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-21 20:15

Updated : 2024-11-21 08:12


NVD link : CVE-2023-37903

Mitre link : CVE-2023-37903

CVE.ORG link : CVE-2023-37903


JSON object : View

Products Affected

vm2_project

  • vm2
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')