Vulnerability Details : CVE-2022-36067

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Vulnerability category: Execute code

Published 2022-09-06 22:15:09

Updated 2022-11-08 03:03:23

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-36067

Probability of exploitation activity in the next 30 days: 0.64%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 77 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-36067

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-36067

CWE-913 Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Assigned by:
- [email protected] (Primary)
- [email protected] (Secondary)

References for CVE-2022-36067

https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71

Exploit;Third Party Advisory
https://security.netapp.com/advisory/ntap-20221017-0002/

Third Party Advisory
https://github.com/patriksimek/vm2/issues/467

Issue Tracking;Third Party Advisory
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067

Exploit;Third Party Advisory
https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

Patch;Third Party Advisory
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq

Patch;Third Party Advisory

Products affected by CVE-2022-36067

Vm2 Project » VM2 » For Node.js
Versions before (<) 3.9.11
cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Matching versions