CVE-2019-10761

Exploit

EPSS 0.78%
Veröffentlicht 13.07.2022 09:15:08
Zuletzt bearbeitet 21.11.2024 04:19:52
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vm2 Project ≫ Vm2 SwPlatformnode.js Version < 3.6.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.78%	0.728

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.3	3.9	3.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
report@snyk.io	8.3	3.9	3.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90

Patch

Third Party Advisory

https://github.com/patriksimek/vm2/issues/197

Third Party Advisory

Exploit

https://snyk.io/vuln/SNYK-JS-VM2-473188

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-10761

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-10761

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-10761

EUVD