#VU70543 Improper access control in vm2 - CVE-2021-23555

Cybersecurity Help s.r.o.

Published: 2022-12-30

Vulnerability identifier: #VU70543

Vulnerability risk: High

CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-23555

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vm2
Web applications / Modules and components for CMS

Vendor: Patrik Simek

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to sandbox bypass via direct access to host error objects generated by node internals during generation of a stacktraces. A remote attacker can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

vm2: 3.9.0 - 3.9.5

External links
https://snyk.io/vuln/SNYK-JS-VM2-2309905
https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Cloud Pak for Multicloud Management Infrastructure Management update for vm2

Remote code execution in vm2 for Node.js

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.4

Improper access control in IBM Cloud Automation Manager