Main Vulnerability Database Vulnerabilities #VU75367

#VU75367 Code injection in vm2 - CVE-2023-30547

Published: April 20, 2023 / Updated: December 18, 2023

Vulnerability identifier: #VU75367

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Green

CVE-ID: CVE-2023-30547

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
vm2

Software vendor:
Patrik Simek

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in exception sanitization. A remote user can raise an unsanitized host exception inside "handleException()", which can be used to escape the sandbox and run arbitrary code in host context.

Remediation

Install updates from vendor's website.

External links

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

#VU75367 Code injection in vm2 - CVE-2023-30547

Description

Remediation

External links

Please verify you're human