Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-30547
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Sandbox Escape in vm2
Source: NVD (National Vulnerability Database)
Vulnerability Description
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
vm2 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vm2是捷克Patrik Simek个人开发者的一个 Node.js 的高级虚拟机/沙盒。以使用列入白名单的 Node 内置模块运行不受信任的代码。 vm2 3.9.17之前版本存在注入漏洞,该漏洞源于异常清理存在漏洞,攻击者利用该漏洞可以引发未清理的主机异常,该异常可用于逃逸沙箱并在主机上下文中运行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
patriksimekvm2 < 3.9.17 -
II. Public POCs for CVE-2023-30547
#POC DescriptionSource LinkShenlong Link
1PoC Exploit for VM2 Sandbox Escape Vulnerabilityhttps://github.com/rvizx/CVE-2023-30547POC Details
2PoC to CVE-2023-30547 (Library vm2)https://github.com/user0x1337/CVE-2023-30547POC Details
3Tool for exploring CVE-2023-30547https://github.com/Cur1iosity/CVE-2023-30547POC Details
4Nonehttps://github.com/junnythemarksman/CVE-2023-30547POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2023-30547
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: vm2
Same vendor: patriksimek
Same weakness: CWE-74
V. Comments for CVE-2023-30547

No comments yet

Leave a comment