Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3355-1

Опубликовано: 18 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs16

This update for nodejs16 fixes the following issues:

Update to LTS version 16.20.2:

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 12
nodejs16-16.20.2-8.33.1
nodejs16-devel-16.20.2-8.33.1
nodejs16-docs-16.20.2-8.33.1
npm16-16.20.2-8.33.1

Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.20.2-8.33.1
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.20.2-8.33.1
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.20.2-8.33.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.20.2-8.33.1
Ссылки
Уязвимость SUSE-SU-2023:3355-1