vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
History

Mon, 21 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 08 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

Mon, 19 Aug 2024 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.6::el8
cpe:/a:redhat:multicluster_engine:2.1::el8

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-13T23:17:51.434Z

Updated: 2024-10-21T14:51:16.362Z

Reserved: 2023-07-06T13:01:36.997Z

Link: CVE-2023-37466

cve-icon Vulnrichment

Updated: 2024-08-02T17:16:30.869Z

cve-icon NVD

Status : Modified

Published: 2023-07-14T00:15:09.263

Modified: 2024-11-21T08:11:45.920

Link: CVE-2023-37466

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-07-17T00:00:00Z

Links: CVE-2023-37466 - Bugzilla