Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3356-1

Опубликовано: 18 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs18

This update for nodejs18 fixes the following issues:

Update to LTS version 18.17.1 (security fixes):

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).
  • CVE-2023-30589: Fixed HTTP Request Smuggling via Empty headers separated by CR (bsc#1212582).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 12
nodejs18-18.17.1-8.12.1
nodejs18-devel-18.17.1-8.12.1
nodejs18-docs-18.17.1-8.12.1
npm18-18.17.1-8.12.1

Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.17.1-8.12.1
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.17.1-8.12.1
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.17.1-8.12.1
Ссылки