Bug 2171935 (CVE-2023-23918) - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
Summary: CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.main...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-23918
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2172148 2172149 2172150 2172151 2172152 2172153 2172154 Red Hat2172156 Red Hat2172157 Red Hat2172158 Red Hat2172159 Red Hat2172160 Red Hat2175841 Red Hat2178107 Red Hat2178110 Red Hat2178111 Red Hat2178113 Red Hat2178153 Red Hat2178155 Red Hat2172155 Red Hat2172161 Red Hat2175842 Red Hat2175843 Red Hat2175844 Red Hat2178108 Red Hat2178109 Red Hat2178112 Red Hat2178114 Red Hat2178154
Blocks: Embargoed2171920
TreeView+ depends on / blocked
 
Reported: 2023-02-20 22:12 UTC by Zack Miele
Modified: 2023-05-09 20:46 UTC (History)
10 users (show)

Fixed In Version: Node.js 19.6.1, Node.js 18.14.1, Node.js 16.19.1, Node.js 14.21.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 20:46:33 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1546 0 None None None 2023-04-03 12:04:24 UTC
Red Hat Product Errata RHBA-2023:1776 0 None None None 2023-04-13 14:58:58 UTC
Red Hat Product Errata RHBA-2023:1799 0 None None None 2023-04-17 07:30:53 UTC
Red Hat Product Errata RHBA-2023:1807 0 None None None 2023-04-17 14:08:06 UTC
Red Hat Product Errata RHBA-2023:1808 0 None None None 2023-04-17 14:08:18 UTC
Red Hat Product Errata RHBA-2023:1856 0 None None None 2023-04-18 22:33:22 UTC
Red Hat Product Errata RHBA-2023:1927 0 None None None 2023-04-24 01:07:55 UTC
Red Hat Product Errata RHSA-2023:1533 0 None None None 2023-03-30 12:36:10 UTC
Red Hat Product Errata RHSA-2023:1582 0 None None None 2023-04-04 09:48:25 UTC
Red Hat Product Errata RHSA-2023:1583 0 None None None 2023-04-04 09:48:38 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:54 UTC
Red Hat Product Errata RHSA-2023:1743 0 None None None 2023-04-12 14:59:18 UTC
Red Hat Product Errata RHSA-2023:1744 0 None None None 2023-04-12 15:07:42 UTC
Red Hat Product Errata RHSA-2023:2654 0 None None None 2023-05-09 11:46:39 UTC
Red Hat Product Errata RHSA-2023:2655 0 None None None 2023-05-09 11:46:52 UTC

Description Zack Miele 2023-02-20 22:12:52 UTC 
It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
Comment 1 Zack Miele 2023-02-21 15:28:41 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2172149]
Affects: fedora-all [bug 2172148]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2172151]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2172152]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2172150]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2172153]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2172154]
Comment 5 errata-xmlrpc 2023-03-30 12:36:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 6 errata-xmlrpc 2023-04-04 09:48:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 7 errata-xmlrpc 2023-04-04 09:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
Comment 8 errata-xmlrpc 2023-04-12 14:58:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 9 errata-xmlrpc 2023-04-12 14:59:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 10 errata-xmlrpc 2023-04-12 15:07:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:1744 https://access.redhat.com/errata/RHSA-2023:1744
Comment 11 errata-xmlrpc 2023-05-09 11:46:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Comment 12 errata-xmlrpc 2023-05-09 11:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
Comment 13 Product Security DevOps Team 2023-05-09 20:46:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-23918
Note You need to log in before you can comment on or make changes to this bug.