A contemporary round of patches has been built out there for the vm2 JavaScript library to handle two critical flaws that could be exploited to break out of the sandbox protections.
The two the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring process and have been resolved in variations 3.9.16 and 3.9.17, respectively.
Effective exploitation of the bugs, which permit an attacker to increase an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.
![Mullvad VPN Discount](https://thecybersecurity.news/data/2022/05/Mullvad-VPN-245x300.png)
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“A menace actor can bypass the sandbox protections to get remote code execution legal rights on the host working the sandbox,” the maintainers of the vm2 library explained in an inform.
Credited with finding and reporting the vulnerabilities is security researcher SeungHyun Lee, who has also launched proof-of-concept (PoC) exploits for the two issues in issue.
The disclosure arrives a small about a week just after vm2 remediated an additional sandbox escape flaw (CVE-2023-29017, CVSS rating: 9.8) that could guide to the execution of arbitrary code on the underlying method.
It truly is worthy of noting that researchers from Oxeye thorough a critical remote code execution vulnerability in vm2 late last yr (CVE-2022-36067, CVSS rating: 9.8) that was codenamed Sandbreak.
Found this write-up appealing? Adhere to us on Twitter and LinkedIn to go through more unique material we publish.
Some pieces of this post are sourced from:
thehackernews.com