Các bài viết liên quan:
A security hole has now been patched in the module sandbox JavaScript vm2 can be exploited by a remote adversary to bypass security barriers and perform arbitrary operations on the underlying machine.
“Threateners can overcome the measures guard sandbox to gain remote code execution on the server running the sandbox,” GitHub said in an advisory published on September 28, 2022.
The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It was resolved in version 3.9.11 released on August 28, 2022.
vm2 is a popular Node library used to run untrusted code with whitelisted built-in modules. It is also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per week.
According to application security company Oxeye, application security company Oxeye discovered this vulnerability stems from a bug mechanism in Node.js that exits the sandbox.
This means that a successful exploit of CVE-2022-36067 could allow an attacker to bypass the vm2 sandbox environment and run shell commands on the sandboxed host system.
Due to the serious nature of the vulnerability, users are advised to update to the latest version as soon as possible to mitigate possible threats.
“Sandboxes serve different purposes in modern applications, such as checking for attachments in email servers, providing an extra layer of security in a web browser or her,” says Oxeye. build applications that work under certain operating systems”.
“Given the nature of the use cases for the sandbox, it is clear that a vm2 vulnerability can have serious consequences for applications that use vm2 without a patch.”
