The maintainers of the vm2 JavaScript sandbox module have shipped a patch to handle a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.
The flaw, which affects all variations, such as and prior to 3.9.14, was documented by scientists from South Korea-primarily based KAIST WSP Lab on April 6, 2023, prompting vm2 to launch a deal with with model 3.9.15 on Friday.
“A menace actor can bypass the sandbox protections to attain distant code execution rights on the host working the sandbox,” vm2 disclosed in an advisory.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring program. The issue stems from the truth that it does not effectively take care of problems that happen in asynchronous features.
vm2 is a well-liked library that’s made use of to operate untrusted code in an isolated surroundings on Node.js. It has nearly 4 million weekly downloads.
Approaching WEBINARLearn to Protected the Identity Perimeter – Confirmed Methods
Enhance your company security with our impending expert-led cybersecurity webinar: Explore Identification Perimeter tactics!
Don’t Overlook Out – Help you save Your Seat!
KAIST security researcher Seongil Wi has also made readily available two diverse variants of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get all around the sandbox protections and allow for the creation of an empty file named “flag” on the host.
The disclosure will come virtually six months following vm2 settled an additional critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to perform arbitrary functions on the underlying device.
Found this short article intriguing? Observe us on Twitter and LinkedIn to browse much more exceptional content material we put up.
Some areas of this article are sourced from:
thehackernews.com