Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3379-1

Опубликовано: 22 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs16

This update for nodejs16 fixes the following issues:

Update to LTS version 16.20.2.

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).

Список пакетов

Container bci/node:16
nodejs16-16.20.2-150400.3.24.1
npm16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
nodejs16-16.20.2-150400.3.24.1
nodejs16-devel-16.20.2-150400.3.24.1
nodejs16-docs-16.20.2-150400.3.24.1
npm16-16.20.2-150400.3.24.1
openSUSE Leap 15.4
corepack16-16.20.2-150400.3.24.1
nodejs16-16.20.2-150400.3.24.1
nodejs16-devel-16.20.2-150400.3.24.1
nodejs16-docs-16.20.2-150400.3.24.1
npm16-16.20.2-150400.3.24.1

Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:16:nodejs16-16.20.2-150400.3.24.1
Container bci/node:16:npm16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel-16.20.2-150400.3.24.1
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:16:nodejs16-16.20.2-150400.3.24.1
Container bci/node:16:npm16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel-16.20.2-150400.3.24.1
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
Container bci/node:16:nodejs16-16.20.2-150400.3.24.1
Container bci/node:16:npm16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-16.20.2-150400.3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel-16.20.2-150400.3.24.1
Ссылки