Bug 2244523 - Node.js 16.x < 16.20.2 Multiple Vulnerabilities
Summary: Node.js 16.x < 16.20.2 Multiple Vulnerabilities
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nodejs
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: NodeJS Packaging SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-10-16 18:37 UTC by Nicholas Clark
Modified: 2024-07-09 04:26 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-07-09 04:26:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nicholas Clark 2023-10-16 18:37:27 UTC 
Description of problem:
The version of Node.js is prior to 16.20.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Wednesday August 09 2023 Security Releases advisory:
  - Permissions policies can be bypassed via Module._load (CVE-2023-32002)
  - Permission model bypass by specifying a path traversal sequence in a Buffer (CVE-2023-32004)
  - process.binding() can bypass the permission model through path traversal (CVE-2023-32558)
  - Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
  - Permissions policies can be bypassed via process.binding (CVE-2023-32559)
  - fs.statfs can retrive stats from files restricted by the Permission Model (CVE-2023-32005)
  - fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (CVE-2023-32003)



Version-Release number of selected component (if applicable):
16.18.1-3.el7.x86_64
Comment 1 Troy Dawson 2024-07-09 04:26:54 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.
Note You need to log in before you can comment on or make changes to this bug.