Bug 2244523

Summary:	Node.js 16.x < 16.20.2 Multiple Vulnerabilities
Product:	[Fedora] Fedora EPEL	Reporter:	Nicholas Clark <nicholas.clark>
Component:	nodejs	Assignee:	NodeJS Packaging SIG <nodejs-sig>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	epel7	CC:	mrunge, nodejs-sig, sgallagh, thrcka, zsvetlik
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-07-09 04:26:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Nicholas Clark 2023-10-16 18:37:27 UTC

Description of problem:
The version of Node.js is prior to 16.20.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Wednesday August 09 2023 Security Releases advisory:
  - Permissions policies can be bypassed via Module._load (CVE-2023-32002)
  - Permission model bypass by specifying a path traversal sequence in a Buffer (CVE-2023-32004)
  - process.binding() can bypass the permission model through path traversal (CVE-2023-32558)
  - Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
  - Permissions policies can be bypassed via process.binding (CVE-2023-32559)
  - fs.statfs can retrive stats from files restricted by the Permission Model (CVE-2023-32005)
  - fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (CVE-2023-32003)



Version-Release number of selected component (if applicable):
16.18.1-3.el7.x86_64

Comment 1 Troy Dawson 2024-07-09 04:26:54 UTC

EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.