{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37903", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-10T17:51:29.610Z", "datePublished": "2023-07-21T19:42:09.346Z", "dateUpdated": "2025-02-13T17:01:37.011Z"}, "containers": {"cna": {"title": "Sandbox Escape in vm2", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0007/"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "<= 3.9.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-31T18:06:31.120Z"}, "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software."}], "source": {"advisory": "GHSA-g644-9gfx-q4q4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.770Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0007/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5F54A6F9-FD6B-4E23-A6B7-616952129C1C", "versionEndIncluding": "3.9.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software."}], "id": "CVE-2023-37903", "lastModified": "2024-11-21T08:12:26.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-21T20:15:16.057", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230831-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230831-0007/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-agent-service-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-apiserver-network-proxy-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-assisted-image-service-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-assisted-installer-agent-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-assisted-installer-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-assisted-installer-reporter-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-aws-encryption-provider-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-api-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-api-provider-agent-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-api-provider-aws-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-api-provider-azure-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-api-provider-kubevirt-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-clusterclaims-controller-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-curator-controller-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-clusterlifecycle-state-metrics-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-proxy-addon-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-cluster-proxy-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-console-mce-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-discovery-operator-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-hive-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-hypershift-addon-operator-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-hypershift-deployment-controller-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-hypershift-operator-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-klusterlet-operator-bundle-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-managedcluster-import-controller-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-managed-serviceaccount-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-multicloud-manager-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-must-gather-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-operator-bundle-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-operator-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-placement-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-provider-credential-controller-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-registration-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-registration-operator-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4972", "cpe": "cpe:/a:redhat:multicluster_engine:2.1::el8", "package": "multicluster-engine-work-container", "product_name": "Multicluster Engine for Kubernetes", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4650", "cpe": "cpe:/a:redhat:multicluster_engine:2.2::el8", "package": "multicluster-engine/console-mce-rhel8:v2.2.7-4", "product_name": "multicluster engine for Kubernetes 2.2 for RHEL 8", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4650", "cpe": "cpe:/a:redhat:multicluster_engine:2.2::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel8:v2.2.7-4", "product_name": "multicluster engine for Kubernetes 2.2 for RHEL 8", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4862", "cpe": "cpe:/a:redhat:multicluster_engine:2.3::el8", "package": "multicluster-engine/console-mce-rhel8:v2.3.1-7", "product_name": "multicluster engine for Kubernetes 2.3 for RHEL 8", "release_date": "2023-08-29T00:00:00Z"}, {"advisory": "RHSA-2023:4862", "cpe": "cpe:/a:redhat:multicluster_engine:2.3::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel8:v2.3.1-7", "product_name": "multicluster engine for Kubernetes 2.3 for RHEL 8", "release_date": "2023-08-29T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-governance-policy-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-prometheus-config-reloader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-prometheus-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "acm-volsync-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4980", "cpe": "cpe:/a:redhat:acm:2.6::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4654", "cpe": "cpe:/a:redhat:acm:2.7::el8", "package": "rhacm2/console-rhel8:v2.7.7-4", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8", "release_date": "2023-08-15T00:00:00Z"}, {"advisory": "RHSA-2023:4875", "cpe": "cpe:/a:redhat:acm:2.8::el8", "package": "rhacm2/console-rhel8:v2.8.1-7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8", "release_date": "2023-08-30T00:00:00Z"}], "bugzilla": {"description": "vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code", "id": "2224969", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224969"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-78", "details": ["vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.", "A flaw was found in the vm2 custom inspect function, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2023-37903", "public_date": "2023-07-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-37903\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-37903\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"], "threat_severity": "Moderate"}