Protection Mechanism Failure

CVE-2023-32314

High

10/10

Summary

The NPM package "vm2" is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 in versions prior to 3.9.18. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-693 - Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

Advisory
Disclosure
Release Note

Advisory Timeline

Published May 15, 2023

Protection Mechanism Failure

CVE-2023-32314

Summary

CWE-693 - Protection Mechanism Failure

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS