Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3306-1

Опубликовано: 14 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs14

This update for nodejs14 fixes the following issues:

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).
  • CVE-2023-30581: Fixed mainModule.proto bypass (bsc#1212574).
  • CVE-2023-30590: Fixed missing DiffieHellman key generation (bsc#1212583).
  • CVE-2023-30589: Fixed HTTP Request Smuggling via Empty headers separated by CR (bsc#1212582).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 12
nodejs14-14.21.3-6.46.1
nodejs14-devel-14.21.3-6.46.1
nodejs14-docs-14.21.3-6.46.1
npm14-14.21.3-6.46.1

Ссылки

Описание

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки

Описание

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки

Описание

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.21.3-6.46.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.21.3-6.46.1
Ссылки