Bug 2244418 (CVE-2023-39333)

Summary: CVE-2023-39333 nodejs: code injection via WebAssembly export names
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hhorak, jorton, nodejs-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244476, 2244490, 2244491, 2244465, 2244478, 2244480, 2244482, 2244484, 2244486, 2244488, 2244489    
Bug Blocks: 2244419    

Description Dhananjay Arunesh 2023-10-16 12:46:46 UTC 
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 2 Dhananjay Arunesh 2023-10-16 14:57:31 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2244476]
Affects: fedora-37 [bug 2244489]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2244480]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2244484]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2244478]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244491]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244488]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244490]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2244482]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244486]
Comment 6 errata-xmlrpc 2023-10-18 16:21:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5849 https://access.redhat.com/errata/RHSA-2023:5849
Comment 8 errata-xmlrpc 2023-10-18 23:09:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5869 https://access.redhat.com/errata/RHSA-2023:5869
Comment 9 errata-xmlrpc 2023-11-14 16:55:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
Comment 11 Dhananjay Arunesh 2024-05-27 06:29:23 UTC 
The inclusion of nodejs:20/nodejs commenced with RHEL-9.3GA through RHEA-2023:6529 (https://access.redhat.com/errata/RHEA-2023:6529), which inherently incorporates the fix for CVE-2023-39333. Hence, Nodejs-20, as shipped with Red Hat Enterprise Linux 9, is not affected by this vulnerability. The fixed version is Node.js v20.8.1, updating the rhel-9 nodejs:20/nodejs to notaffected.