#VU75366 Improper Control of Dynamically-Managed Code Resources in vm2 - CVE-2023-29199

Vulnerability identifier: #VU75366

Vulnerability risk: Medium

CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Green]

CVE-ID: CVE-2023-29199

CWE-ID: CWE-913

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
vm2
Web applications / Modules and components for CMS

Vendor: Patrik Simek

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an error within the source code transformer. A remote user can bypass handleException() and leak unsanitized host exceptions. The obtain information can be used to escape the sandbox and run arbitrary code in host context.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

vm2: 3.9.0 - 3.9.15

---

External links
https://github.com/patriksimek/vm2/releases/tag/3.9.16
https://github.com/patriksimek/vm2/issues/516
https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7
https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.