CVE-2023-30547 : VM2 UP TO 3.9.16 HANDLEEXCEPTION INJECTION - Cloud WAF

Free Trial

CVE-2023-30547 : VM2 UP TO 3.9.16 HANDLEEXCEPTION INJECTION

Description

vm2 is a sandbox that can run untrusted code with whitelisted Node’s built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

References

https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5

https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

For More Information

Contact us to get started

CVE-2024-21511 : MYSQL2 UP TO 3.9.6 READCODEFOR TIMEZONE CODE INJECTION

CVE-2024-21511 : MYSQL2 UP TO 3.9.6 READCODEFOR TIMEZONE CODE INJECTION

Description Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the

Learn more

CVE-2024-29733 : APACHE AIRFLOW UP TO 3.6.X FTP PROVIDER CERTIFICATE VALIDATION

CVE-2024-29733 : APACHE AIRFLOW UP TO 3.6.X FTP PROVIDER CERTIFICATE VALIDATION

Description Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections,

Learn more

CVE-2024-29204 : IVANTI AVALANCHE UP TO 6.4.2 WLAVALANCHESERVICE HEAP-BASED OVERFLOW

CVE-2024-29204 : IVANTI AVALANCHE UP TO 6.4.2 WLAVALANCHESERVICE HEAP-BASED OVERFLOW

Description A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute

Learn more