#VU79504 Security features bypass in vm2 - CVE-2023-37903


Vulnerability identifier: #VU79504

Vulnerability risk: Medium

CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-37903

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vm2
Web applications / Modules and components for CMS

Vendor: Patrik Simek

Description

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to unspecified error. An attacker with code execution primitive inside the context of vm2 sandbox can use the Node.js custom inspect function to escape the sandbox and run arbitrary code.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

vm2: 3.9.0 - 3.9.19

External links
https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring
Multiple vulnerabilities in IBM Observability with Instana
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Multiple vulnerabilities in IBM App Connect Enterprise Certified Container
Multiple vulnerabilities in IBM App Connect Enterprise
Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.6
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.1
Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.8
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.3
Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.7