vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
History

Sun, 08 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.5::el8
cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.0::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

Mon, 19 Aug 2024 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.5::el8
cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.0::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-06T19:18:34.243Z

Updated: 2024-08-02T14:00:14.370Z

Reserved: 2023-03-29T17:39:16.144Z

Link: CVE-2023-29017

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-04-06T20:15:08.723

Modified: 2024-11-21T07:56:24.137

Link: CVE-2023-29017

cve-icon Redhat

Severity : Critical

Publid Date: 2023-04-06T00:00:00Z

Links: CVE-2023-29017 - Bugzilla