Published: 06/04/2023 Updated: 13/04/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vm2 project vm2

Synopsis Critical: Multicluster Engine for Kubernetes 223 security updates and bug fixes Type/Severity Security Advisory: Critical Topic Multicluster Engine for Kubernetes 223 General Availability release images, which fix bugs and security updates container imagesRed Hat Product Security has rated this update as having a security impact ...

Synopsis Critical: Multicluster Engine for Kubernetes 20 hotfix security update for console Type/Severity Security Advisory: Critical Topic Red Hat Multicluster Engine Hotfix Security Update for ConsoleRed Hat Product Security has rated this update as having a security impactof Critical A Common Vulnerability Scoring System (CVSS) base scor ...

Synopsis Critical: Red Hat Advanced Cluster Management 26 hotfix security update for console Type/Severity Security Advisory: Critical Topic Red Hat Advanced Cluster Management for Kubernetes hotfix security update for consoleRed Hat Product Security has rated this update as having a security impactof Critical A Common Vulnerability Scoring ...

Synopsis Critical: Multicluster Engine for Kubernetes 21 hotfix security update for console Type/Severity Security Advisory: Critical Topic Multicluster Engine for Kubernetes 21 hotfix security update for consoleRed Hat Product Security has rated this update as having a security impactof Critical A Common Vulnerability Scoring System (CVSS ...

Synopsis Critical: Red Hat Advanced Cluster Management 273 security fixes and bug fixes Type/Severity Security Advisory: Critical Topic Red Hat Advanced Cluster Management for Kubernetes 273 GeneralAvailability release images, which fix bugs and security updates container imagesRed Hat Product Security has rated this update as having a s ...

Synopsis Critical: Red Hat Advanced Cluster Management 25 hotfix security update for console Type/Severity Security Advisory: Critical Topic Red Hat Advanced Cluster Management for Kubernetes hotfix security update for consoleRed Hat Product Security has rated this update as having a security impactof Critical A Common Vulnerability Scoring ...

DescriptionThe MITRE CVE dictionary describes this issue as: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules Prior to version 3915, vm2 was not properly handling host objects passed to `ErrorprepareStackTrace` in case of unhandled async errors A threat actor could bypass the sandbox protections to gain rem ...

Table of Contents Setup Semgrep Installation Steps for Project Setup Creating SAST Rules Steps Example yml rule Important to note Create test for rule Example of test file code for rule Creating Reachability Rules for Aqua Please Note Steps Example of tpl file Converted rule to tpl Create a test rechability test file Example test code for rechabili

CWE-913 https://github.com/patriksimek/vm2/issues/515 https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv https://nvd.nist.gov https://github.com/silenstack/sast-rules https://access.redhat.com/errata/RHSA-2023:1887 https://access.redhat.com/security/cve/cve-2023-29017

CVE-2023-29017

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect