CVE-2023-37903

EPSS 39.23%
Veröffentlicht 21.07.2023 20:15:16
Zuletzt bearbeitet 03.11.2025 22:16:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vm2 Project ≫ Vm2 SwPlatformnode.js Version <= 3.9.19

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	39.23%	0.971

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230831-0007/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20241108-0002/

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37903

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37903

EUVD