Описание
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file.
Отчет
When this CVE was reported, the policy.json file was still experimental in nature and not deployed and widely in environments,which is why at the time when this CVE was submitted,Redhat chose to classify this as moderare.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Software Collections | rh-nodejs14-nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:5360 | 26.09.2023 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:5362 | 26.09.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs | Fixed | RHSA-2023:5361 | 26.09.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:5363 | 26.09.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:5532 | 09.10.2023 |
| Red Hat Enterprise Linux 9.0 Extended Update Support | nodejs | Fixed | RHSA-2023:5533 | 09.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x 18.x and 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy ...
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
EPSS
7.5 High
CVSS3