What is CVE-2023-29199?

CVE-2023-29199 is a critical-severity vulnerability in Patriksimek Vm2, classified under Improper Control of Dynamically-Managed Code Resources. CVSS score: 9.8/10. Published 2023-04-14.

How severe is CVE-2023-29199?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2023-29199 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Patriksimek Vm2

CVE-2023-29199

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the…

EPSS: 0.250 (96.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Patriksimek Vm2 — versions < 3.9.16

Weakness classification (CWE)

CWE-913 — Improper Control of Dynamically-Managed Code Resources

Public proof-of-concept exploits

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985 (x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/issues/516 (x_refsource_MISC)
https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7 (x_refsource_MISC)
https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c (x_refsource_MISC)
https://github.com/patriksimek/vm2/releases/tag/3.9.16 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-29199?: CVE-2023-29199 is a critical-severity vulnerability in Patriksimek Vm2, classified under Improper Control of Dynamically-Managed Code Resources. CVSS score: 9.8/10. Published 2023-04-14.
How severe is CVE-2023-29199?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2023-29199 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.