Описание
Security update for nodejs12
This update for nodejs12 fixes the following issues:
- CVE-2023-23918: Fixed permissions policies bypass via process.mainModule (bsc#1208481).
- CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150).
- CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156).
- CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154).
- CVE-2023-30581: Fixed mainModule.proto bypass (bsc#1212574).
- CVE-2023-30590: Fixed missing DiffieHellman key generation (bsc#1212583).
- CVE-2023-30589: Fixed HTTP Request Smuggling via Empty headers separated by CR (bsc#1212582).
Список пакетов
SUSE Enterprise Storage 7
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP2-LTSS
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Manager Server 4.2
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:3455-1
- E-Mail link for SUSE-SU-2023:3455-1
- SUSE Security Ratings
- SUSE Bug 1208481
- SUSE Bug 1212574
- SUSE Bug 1212582
- SUSE Bug 1212583
- SUSE Bug 1214150
- SUSE Bug 1214154
- SUSE Bug 1214156
- SUSE CVE CVE-2023-23918 page
- SUSE CVE CVE-2023-30581 page
- SUSE CVE CVE-2023-30589 page
- SUSE CVE CVE-2023-30590 page
- SUSE CVE CVE-2023-32002 page
- SUSE CVE CVE-2023-32006 page
- SUSE CVE CVE-2023-32559 page
Описание
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
Затронутые продукты
Ссылки
- CVE-2023-23918
- SUSE Bug 1208481
Описание
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
Затронутые продукты
Ссылки
- CVE-2023-30581
- SUSE Bug 1212574
Описание
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
Затронутые продукты
Ссылки
- CVE-2023-30589
- SUSE Bug 1212582
Описание
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.
Затронутые продукты
Ссылки
- CVE-2023-30590
- SUSE Bug 1212583
Описание
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Затронутые продукты
Ссылки
- CVE-2023-32002
- SUSE Bug 1214150
Описание
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Затронутые продукты
Ссылки
- CVE-2023-32006
- SUSE Bug 1214156
Описание
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Затронутые продукты
Ссылки
- CVE-2023-32559
- SUSE Bug 1214154