A fresh new spherical of patches has been designed offered for the vm2 JavaScript library to tackle two critical flaws that could be exploited to crack out of the sandbox protections.
Equally the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring method and have been addressed in variations 3.9.16 and 3.9.17, respectively.
Productive exploitation of the bugs, which permit an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.
“A danger actor can bypass the sandbox protections to get distant code execution rights on the host functioning the sandbox,” the maintainers of the vm2 library stated in an inform.
Credited with exploring and reporting the vulnerabilities is security researcher SeungHyun Lee, who has also unveiled proof-of-thought (PoC) exploits for the two issues in dilemma.
The disclosure arrives a very little above a 7 days immediately after vm2 remediated a further sandbox escape flaw (CVE-2023-29017, CVSS rating: 9.8) that could guide to the execution of arbitrary code on the fundamental program.
It truly is worth noting that scientists from Oxeye in depth a critical remote code execution vulnerability in vm2 late very last calendar year (CVE-2022-36067, CVSS score: 9.8) that was codenamed Sandbreak.
Located this post fascinating? Comply with us on Twitter and LinkedIn to read extra unique content we article.
Some parts of this article are sourced from:
thehackernews.com