websitebuildersnow
[ad_1]
A currently patched security flaw in the vm2 JavaScript sandbox module could be exploited by a remote adversary to breach the security barrier and take arbitrary actions on the underlying machine.
In an advisory published on September 28, 2022, GitHub said, “Attackers can bypass sandbox protections and gain remote code execution privileges on the host running the sandbox.
The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, has a maximum severity rating of 10 in the CVSS vulnerability scoring system. This issue is resolved in version 3.9.11, released on August 28, 2022.
vm2 is a popular Node library used to run untrusted code using whitelisted built-in modules. It is also one of the most widely downloaded software, with nearly 3.5 million downloads per week.
According to application security firm Oxeye, who discovered the flaw, the shortcoming is due to Node.js’s error mechanism for evading sandboxes.
This means that successful exploitation of CVE-2022-36067 could allow an attacker to bypass the vm2 sandbox environment and execute shell commands on the system hosting the sandbox.
In light of the serious nature of the vulnerability, users are advised to update to the latest version as soon as possible to mitigate any possible threat.
According to Oxeye, “Sandboxing can be used in many ways in modern applications, such as inspecting attachments on email servers, providing an extra layer of security in web browsers, or isolating applications actively running on a given operating system. serve a purpose.
“Given the nature of the sandbox use case, it’s clear that vulnerabilities in vm2 could have disastrous consequences for applications that use vm2 unpatched.”
[ad_2]
Source link
GIPHY App Key not set. Please check settings