Описание
The use of the deprecated API process.binding() can bypass the permission model through path traversal.
This vulnerability affects all users using the experimental permission model in Node.js 20.x.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the permission model through path traversal.
Отчет
For this CVE no Red Hat Products are affected as this CVE only affects Node.js version 20, specifically within the experimental permission model feature of Node.js 20, that we are not shipped.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:18/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:18/nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs14-nodejs | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The use of the deprecated API `process.binding()` can bypass the permi ...
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Уязвимость функции process.binding() программной платформы Node.js, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации
EPSS
7.5 High
CVSS3