Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3378-1

Опубликовано: 22 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs18

This update for nodejs18 fixes the following issues:

Update to LTS version 18.17.1.

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).

Список пакетов

Container bci/node:18
nodejs18-18.17.1-150400.9.12.1
npm18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
nodejs18-18.17.1-150400.9.12.1
nodejs18-devel-18.17.1-150400.9.12.1
nodejs18-docs-18.17.1-150400.9.12.1
npm18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5
nodejs18-18.17.1-150400.9.12.1
nodejs18-devel-18.17.1-150400.9.12.1
nodejs18-docs-18.17.1-150400.9.12.1
npm18-18.17.1-150400.9.12.1
openSUSE Leap 15.4
corepack18-18.17.1-150400.9.12.1
nodejs18-18.17.1-150400.9.12.1
nodejs18-devel-18.17.1-150400.9.12.1
nodejs18-docs-18.17.1-150400.9.12.1
npm18-18.17.1-150400.9.12.1
openSUSE Leap 15.5
corepack18-18.17.1-150400.9.12.1
nodejs18-18.17.1-150400.9.12.1
nodejs18-devel-18.17.1-150400.9.12.1
nodejs18-docs-18.17.1-150400.9.12.1
npm18-18.17.1-150400.9.12.1

Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:18:nodejs18-18.17.1-150400.9.12.1
Container bci/node:18:npm18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:18:nodejs18-18.17.1-150400.9.12.1
Container bci/node:18:npm18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:18:nodejs18-18.17.1-150400.9.12.1
Container bci/node:18:npm18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1
Ссылки