Bug 2219837 (CVE-2023-30586) - CVE-2023-30586 nodejs: OpenSSL engines can be used to bypass the permission model
Summary: CVE-2023-30586 nodejs: OpenSSL engines can be used to bypass the permission m...
Keywords:
Status: NEW
Alias: CVE-2023-30586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2220760 2220761 2220762 2220763 2220764 2220765 2220766 2220767 2220768 2220769 2220770 2220771
Blocks: 2217661
TreeView+ depends on / blocked
 
Reported: 2023-07-05 14:59 UTC by Dhananjay Arunesh
Modified: 2024-02-01 09:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in the Node.js 20, allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2023-07-05 14:59:58 UTC 
Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.

References:
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-07-06 05:25:17 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2220765]
Affects: fedora-all [bug 2220763]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220762]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2220764]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220761]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220760]
Note You need to log in before you can comment on or make changes to this bug.