Bug 2230948 (CVE-2023-32002)

Summary: CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, jorton, nodejs-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS. This security issue occurs as the use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2233374, 2233376, 2230964, 2230965, 2230966, 2230967, 2233371, 2233372, 2233373, 2233375, 2233377, 2233378, 2233380, 2233381, 2233855, 2233856, 2233857, 2233858, 2233859, 2233860, 2233861, 2233862, 2233893, 2233894, 2234405, 2234410    
Bug Blocks: 2230962    

Description Mauro Matteo Cascella 2023-08-10 09:55:34 UTC 
The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002
Comment 2 Sandipan Roy 2023-08-22 07:06:50 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2233375]
Affects: fedora-37 [bug 2233371]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2233377]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2233378]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2233380]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233376]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233373]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233374]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2233381]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233372]
Comment 4 errata-xmlrpc 2023-09-26 14:50:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361
Comment 5 errata-xmlrpc 2023-09-26 14:51:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363
Comment 6 errata-xmlrpc 2023-09-26 14:52:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360
Comment 7 errata-xmlrpc 2023-09-26 14:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362
Comment 8 errata-xmlrpc 2023-10-09 10:26:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
Comment 9 errata-xmlrpc 2023-10-09 10:26:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532