First published: Thu Jul 13 2023(Updated: )
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. ### Impact Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. ### Patches None. ### Workarounds None. ### References PoC is to be disclosed on or after the 5th of September. ### Similarity with [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466) While this advisory might look similar to [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466), it is a completely different way of escaping the sandbox. ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/vm2 | <=3.9.19 | |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
Vm2 Project | <=3.9.19 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-37903 is classified as a critical vulnerability due to the potential for remote code execution.
Currently, there are no patches available for CVE-2023-37903, so it's recommended to mitigate risks by avoiding the use of affected versions prior to 3.9.20.
CVE-2023-37903 affects vm2 versions up to and including 3.9.19.
The impact of CVE-2023-37903 includes the ability for attackers to escape the sandbox and execute arbitrary code.
Any applications utilizing vm2 versions up to 3.9.19 are vulnerable to CVE-2023-37903.