Threat actors could exploit an already addressed critical security flaw in the widely used Node library vm2 sandbox module to facilitate remote command execution, according to The Hacker News.
Discovered by application security company Oxeye, the vulnerability, dubbed as 'Sandbreak' and tracked as CVE-2022-36067, stems from a Node.js error mechanism in escaping the sandbox. Such a security bug could allow the evasion of the vm2 sandbox environment to enabale shell command execution in systems hosting the sandbox, said researchers. Users of vm2 have been urged to immediately apply the software update addressing the flaw, which was issued on August 28. "Sandboxes serve different purposes in modern applications, such as examining attached files in email servers, providing an additional security layer in web browsers, or isolating actively running applications in certain operating systems. Given the nature of the use cases for sandboxes, it's clear that the vm2 vulnerability can have dire consequences for applications that use vm2 without patching," said Oxeye.
Vulnerabilities impacting cloud analytics and business intelligence software Qlik Sense have been exploited to facilitate the deployment of CACTUS ransomware in a new campaign, The Hacker News reports.
Vulnerability management: Finding and fixing fatal flaws
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Vulnerability management: Finding and fixing your fatal flaws
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news