Security features bypass in vm2

#VU76527 Security features bypass in vm2

Published: 2023-05-25

Vulnerability identifier: #VU76527

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2023-32314

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vm2
Web applications / Modules and components for CMS

Vendor: Patrik Simek

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an unexpected creation of a host object based on the specification of `Proxy`. A remote attacker can escape sandbox restrictions and gain remote code execution rights on the host.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

vm2: 3.9.0 - 3.9.17

CPE

cpe:2.3:a:patriksimek:vm2:3.9.17:*:*:*:*:nodejs:*:*

External links
http://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
http://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
http://github.com/patriksimek/vm2/releases/tag/3.9.18
http://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.6

Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.1

Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.2

Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.7

Multiple vulnerabilities in vm2 for Node.js