Improper Control of Dynamically-Managed Code Resources

CVE-2023-29199

High

10/10

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions prior to 3.9.16, allowing attackers to bypass "handleException()" and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-913 - Improper Control of Dynamically-Managed Code Resources

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

Advisory
POC/Exploit
Release Note
Issue

Advisory Timeline

Published Apr 14, 2023

Improper Control of Dynamically-Managed Code Resources

CVE-2023-29199

Summary

CWE-913 - Improper Control of Dynamically-Managed Code Resources

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS