Bug 2230955 (CVE-2023-32006)
| Summary: | CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | hhorak, jorton, nodejs-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2233387, 2233389, 2230968, 2230969, 2230970, 2230971, 2233384, 2233385, 2233386, 2233388, 2233390, 2233391, 2233392, 2233393, 2233895, 2233896, 2234406, 2234411, 2236092, 2236104, 2236140 | ||
| Bug Blocks: | 2230962 | ||
|
Description
Mauro Matteo Cascella
2023-08-10 10:04:22 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2233388] Affects: fedora-37 [bug 2233384] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2233390] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2233391] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2233392] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233389] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233386] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233387] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2233393] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233385] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532 |