There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
History

Sun, 08 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.5::el8
cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.0::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

Mon, 19 Aug 2024 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.5::el8
cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.0::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-14T18:37:03.847Z

Updated: 2024-08-02T14:00:15.886Z

Reserved: 2023-04-03T13:37:18.454Z

Link: CVE-2023-29199

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-04-14T19:15:09.337

Modified: 2024-11-21T07:56:42.080

Link: CVE-2023-29199

cve-icon Redhat

Severity : Critical

Publid Date: 2023-04-08T00:00:00Z

Links: CVE-2023-29199 - Bugzilla