CVE-2021-23555: Sandbox Bypass
First published: Fri Feb 11 2022(Updated: )
A flaw was found in vm2, where the sandbox can be bypassed via direct access to host error objects generated by node internals during the generation of stack traces. This flaw allows an attacker to execute arbitrary code on the host machine.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vm2 Project Vm2 | <3.9.6 | |
| redhat/vm2 | <3.9.6 | 3.9.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d
- https://snyk.io/vuln/SNYK-JS-VM2-2309905
- https://access.redhat.com/errata/RHSA-2022:1681
- https://access.redhat.com/security/cve/cve-2021-23555
- https://bugzilla.redhat.com/show_bug.cgi?id=2054114
- https://www.cve.org/CVERecord?id=CVE-2021-23555 https://nvd.nist.gov/vuln/detail/CVE-2021-23555 https://security.snyk.io/vuln/SNYK-JS-VM2-2309905
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/references
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23555
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/tags
- agent/description
- agent/event
- vendor/vm2 project
- canonical/vm2 project vm2
- package-manager/redhat