The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Security Advisory: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2233397] Affects: fedora-37 [bug 2233402] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2233398] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2233401] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2233406] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233400] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233404] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233403] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2233407] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233399]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532