#VU79504 Security features bypass in vm2 - CVE-2023-37903
Published: August 15, 2023
Vulnerability identifier: #VU79504
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Green
CVE-ID: CVE-2023-37903
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
vm2
vm2
Software vendor:
Patrik Simek
Patrik Simek
Description
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to unspecified error. An attacker with code execution primitive inside the context of vm2 sandbox can use the Node.js custom inspect function to escape the sandbox and run arbitrary code.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.