CVE-2019-10761
CVSS V2 None
CVSS V3 High 8.3
Description
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
Overview
- CVE ID
- CVE-2019-10761
- Assigner
- report@snyk.io
- Vulnerability Status
- Analyzed
- Published Version
- 2022-07-13T09:15:08
- Last Modified Date
- 2022-07-21T10:38:40
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* | 1 | OR | 3.6.11 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- CHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- LOW
- Base Score
- 8.3
- Base Severity
- HIGH
- Exploitability Score
- 3.9
- Impact Score
- 3.7
References
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2019-10761 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10761 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-07-13 17:01:00 | Added to TrackCVE |