Security features bypass in vm2

#VU76528 Security features bypass in vm2

Published: 2023-05-25

Vulnerability identifier: #VU76528

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-32313

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vm2
Web applications / Modules and components for CMS

Vendor: Patrik Simek

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the possibility to get a read-write reference to the node `inspect` method and edit options for `console.log`. A remote attacker can edit options for the `console.log` command.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

vm2: 3.9.0 - 3.9.17

CPE

cpe:2.3:a:patriksimek:vm2:3.9.17:*:*:*:*:nodejs:*:*

External links
http://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
http://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
http://github.com/patriksimek/vm2/releases/tag/3.9.18
http://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.6

Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.1

Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.2

Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.7

Multiple vulnerabilities in vm2 for Node.js