Bug 2244413 (CVE-2023-39331)

Summary: CVE-2023-39331 nodejs: permission model improperly protects against path traversal
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, jorton, nodejs-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244449, 2244450, 2244441, 2244442, 2244443, 2244444, 2244445, 2244446, 2244447, 2244448, 2244451, 2244492, 2258562, 2258563    
Bug Blocks: 2244419    

Description Dhananjay Arunesh 2023-10-16 12:27:33 UTC 
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-10-16 14:24:28 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2244441]
Affects: fedora-37 [bug 2244447]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2244442]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2244443]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2244444]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244450]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244448]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244449]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2244445]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244446]
Comment 7 errata-xmlrpc 2023-11-14 16:55:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
Comment 9 Sandipan Roy 2023-12-22 18:16:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHEA-2023:6529 https://access.redhat.com/errata/RHEA-2023:6529
Comment 11 Dhananjay Arunesh 2024-01-16 09:55:08 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2258562]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2258563]
Comment 13 eachhabitual 2024-04-16 04:23:20 UTC Comment hidden (spam)
Comment 14 Alexander23 2024-05-16 06:57:27 UTC Comment hidden (spam)
Comment 15 stevejobb 2024-06-27 03:31:49 UTC Comment hidden (spam)
Comment 16 Michael 2024-07-24 02:04:16 UTC Comment hidden (spam)