CVE-2022-36067 — CRITICAL (10.0)

Q: How severe is CVE-2022-36067?

CVE-2022-36067 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-36067?

Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.

Vulnerability Description

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Vm2 Project	Vm2	< 3.9.11

Related Weaknesses (CWE)

CWE-913

References

https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b8PatchThird Party Advisory
https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory
https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71ExploitThird Party Advisory
https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b8PatchThird Party Advisory
https://github.com/patriksimek/vm2/issues/467Issue TrackingThird Party Advisory
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqPatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20221017-0002/Third Party Advisory
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067ExploitThird Party Advisory

FAQ

What is CVE-2022-36067?

CVE-2022-36067 is a vulnerability with a CVSS score of 10.0 (CRITICAL). vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execut...

How severe is CVE-2022-36067?

CVE-2022-36067 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-36067?

Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.