Vulnerability Details : CVE-2022-36067
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
Vulnerability category: Execute code
Products affected by CVE-2022-36067
- cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36067
3.69%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36067
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
NIST | |
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-36067
-
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-36067
-
https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
vm2/setup-sandbox.js at master · patriksimek/vm2 · GitHubExploit;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221017-0002/
CVE-2022-36067 NPM Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/patriksimek/vm2/issues/467
Sandbox Breakout in VM2 · Issue #467 · patriksimek/vm2 · GitHubIssue Tracking;Third Party Advisory
-
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067
Enter "Sandbreak" - Vulnerability In vm2 Sandbox Module Enables Remote Code Execution (CVE-2022-36067)Exploit;Third Party Advisory
-
https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
Fix 467 · patriksimek/vm2@d9a7f3c · GitHubPatch;Third Party Advisory
-
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq
Sandbox Escape · Advisory · patriksimek/vm2 · GitHubPatch;Third Party Advisory
Jump to