cbcvebase.
CVE-2023-29199
published 2023-04-14

CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass…

PriorityP272critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
3.82%
88.7th percentile
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.

Affected

3 ranges
VendorProductVersion rangeFixed in
patriksimekvm2< 3.9.163.9.16
vm2_projectvm2< 3.9.163.9.16
vm2_projectvm2>= 0 < 3.9.163.9.16

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the source code transformer's exception sanitization logic of vm2; look for attempts to trigger exception handling paths that bypass `handleException()` to leak unsanitized host exceptions
  • Monitor for unexpected remote code execution originating from processes running inside a vm2 sandbox, particularly on hosts running vm2 versions <= 3.9.15
  • Audit deployments of rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) for use of vulnerable vm2 versions up to 3.9.15
  • ·No mitigation is currently available from Red Hat; patching to vm2 version 3.9.16 is the only confirmed fix
  • ·The vulnerability is specifically in the exception sanitization logic of the source code transformer component of vm2, not the sandbox isolation layer itself — detection should focus on exception-handling bypass patterns

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.