Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3400-1

Опубликовано: 23 авг. 2023
Источник: suse-cvrf

Описание

Security update for nodejs16

This update for nodejs16 fixes the following issues:

Update to LTS version 16.20.2.

  • CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
  • CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
  • CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).

Список пакетов

SUSE Enterprise Storage 7.1
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2
SUSE Linux Enterprise Server 15 SP3-LTSS
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2
SUSE Manager Server 4.2
nodejs16-16.20.2-150300.7.27.2
nodejs16-devel-16.20.2-150300.7.27.2
nodejs16-docs-16.20.2-150300.7.27.2
npm16-16.20.2-150300.7.27.2

Ссылки

Описание

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Enterprise Storage 7.1:nodejs16-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-devel-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-docs-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:npm16-16.20.2-150300.7.27.2
Ссылки

Описание

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Enterprise Storage 7.1:nodejs16-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-devel-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-docs-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:npm16-16.20.2-150300.7.27.2
Ссылки

Описание

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Затронутые продукты
SUSE Enterprise Storage 7.1:nodejs16-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-devel-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:nodejs16-docs-16.20.2-150300.7.27.2
SUSE Enterprise Storage 7.1:npm16-16.20.2-150300.7.27.2
Ссылки