Bug 2244418 (CVE-2023-39333)
Summary: | CVE-2023-39333 nodejs: code injection via WebAssembly export names | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | hhorak, jorton, nodejs-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2244476, 2244490, 2244491, 2244465, 2244478, 2244480, 2244482, 2244484, 2244486, 2244488, 2244489 | ||
Bug Blocks: | 2244419 |
Description
Dhananjay Arunesh
2023-10-16 12:46:46 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2244476] Affects: fedora-37 [bug 2244489] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2244480] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2244484] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2244478] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2244491] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2244488] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2244490] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2244482] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2244486] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5849 https://access.redhat.com/errata/RHSA-2023:5849 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5869 https://access.redhat.com/errata/RHSA-2023:5869 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205 The inclusion of nodejs:20/nodejs commenced with RHEL-9.3GA through RHEA-2023:6529 (https://access.redhat.com/errata/RHEA-2023:6529), which inherently incorporates the fix for CVE-2023-39333. Hence, Nodejs-20, as shipped with Red Hat Enterprise Linux 9, is not affected by this vulnerability. The fixed version is Node.js v20.8.1, updating the rhel-9 nodejs:20/nodejs to notaffected. |