CVE-2023-29199: vm2 Sandbox Escape Vulnerability
The vulnerability exists in the source code transformer due to the improper handling exception sanitization logic. The vulnerability may allow attackers to bypass handleException() and leak unsanitized host exceptions, which can be used to escape the sandbox and perform remote code execution in the host context.
CVE-2023-30547: vm2 Sandbox Escape Vulnerability
The vulnerability exists in the exception sanitization logic. The vulnerability allows attackers to raise an unsanitized host exception inside handleException() and use it to escape the sandbox and execute remote code in the host context.
CVE-2023-29199 affects vm2 NPM package versions before 3.9.16, and CVE-2023-30547 affects vm2 NPM package versions before 3.9.17.
For CVE-2023-29199, customers are recommended to upgrade to version 3.9.16 or later.
For CVE-2023-30547, customers are recommended to upgrade to version 3.9.17 or later.
Qualys customers can scan their devices with QIDs 378431 and 378432 to detect vulnerable assets.
The QIDs check for vulnerable versions of the vm2 NPM package installed globally. The QIDs run the npm list -g –silent command and check the file /usr/local/lib/node_modules/vm2/package.json to look for vulnerable versions of vm2.
Note: NPM packages can be installed anywhere as a developer/production dependency. The QIDs can only detect vm2 packages that are installed globally. These QIDs check for installed packages within the %systemdrive%\Users\Administrator directory for Microsoft Windows.
QID 992796 is currently available via the SCA (Software Composition Analysis) capabilities for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.