CVE-2022-36067
CRITICAL10.0EPSS 84.5%vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
Description
### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.11` of `vm2` ### Workarounds None. ### References Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 ### For more information If you have any questions or comments about this advisory: * Open an issue in [VM2](https://github.com/patriksimek/vm2)
Affected packages (1)
- npm/vm2from 0, < 3.9.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-36067
- PATCHhttps://github.com/patriksimek/vm2
- WEBhttps://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
- WEBhttps://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
- WEBhttps://github.com/patriksimek/vm2/issues/467
- WEBhttps://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq
- WEBhttps://security.netapp.com/advisory/ntap-20221017-0002
- WEBhttps://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067