Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vm2 vulnerable to sandbox escape #312

Closed
1 of 4 tasks
TheKingTermux opened this issue Apr 11, 2023 · 0 comments · Fixed by #309
Closed
1 of 4 tasks

vm2 vulnerable to sandbox escape #312

TheKingTermux opened this issue Apr 11, 2023 · 0 comments · Fixed by #309
Labels
Auto Create Issues Label for Auto Created Issues Critical This label for Security Severity only Security Label for Security Issues
Milestone
Alice 1.0.6

Comments

@TheKingTermux
Copy link
Owner

Description

vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.

vm2 version: ~3.9.14
Node version: 18.15.0, 19.8.1, 17.9.1

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.15 of vm2.

Workarounds

None.

Severity Check

  • Low
  • Moderate
  • High
  • Critical

Severity Number

9.8

CVSS base metrics

  • Attack vector
    Network

  • Attack complexity
    Low

  • Privileges required
    None

  • User interaction
    None

  • Scope
    Unchanged

  • Confidentiality
    High

  • Integrity
    High

  • Availability
    High

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Weaknesses
    CWE-913

  • CVE ID
    CVE-2023-29017

  • GHSA ID
    GHSA-7jxr-cg7f-gpgv

Information

  • Package
    vm2 (npm)

  • Affected versions
    < 3.9.15

  • Patched versions
    3.9.15

References
@TheKingTermux TheKingTermux added do-not-autoclose Make bot can't close an Issues or PRs Security Label for Security Issues Auto Create Issues Label for Auto Created Issues labels Apr 11, 2023
@TheKingTermux TheKingTermux mentioned this issue Apr 11, 2023
Merged
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 13, 2023
@TheKingTermux TheKingTermux added Critical This label for Security Severity only and removed do-not-autoclose Make bot can't close an Issues or PRs labels May 9, 2023
@TheKingTermux TheKingTermux added this to the Alice 1.0.6 milestone Jun 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Auto Create Issues Label for Auto Created Issues Critical This label for Security Severity only Security Label for Security Issues
Projects
None yet
Milestone
Alice 1.0.6
Development

Successfully merging a pull request may close this issue.

chore(deps): update dependency vm2 to 3.9.15 [security] TheKingTermux/alice
1 participant
@TheKingTermux