cbcvebase.
CVE-2022-36067
published 2022-09-06

CVE-2022-36067: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the…

PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
47.87%
98.7th percentile
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Affected

3 ranges
VendorProductVersion rangeFixed in
patriksimekvm2< 3.9.113.9.11
vm2_projectvm2< 3.9.113.9.11
vm2_projectvm2>= 0 < 3.9.113.9.11

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-36067 exploits improper exception handling in vm2 sandbox; the sandbox setup does not manage proper exception handling, allowing sandbox escape and RCE on the host
  • CVE-2022-36067 affects vm2 versions prior to 3.9.11; detection should flag use of vm2 < 3.9.11 in Node.js environments
  • CVE-2022-36067 allows escaping the vm2 isolated environment and running shell commands on the machine hosting the sandbox
  • ·The affected package in Red Hat's ecosystem is rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2), which bundles the vulnerable vm2 library
  • ·No workarounds are available for CVE-2022-36067; the only remediation is upgrading to vm2 version 3.9.11 or later
  • ·Red Hat notes that mitigation is either not available or does not meet their criteria for ease of use, deployment, applicability, or stability

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.