Bug 2230955 (CVE-2023-32006) - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()
Summary: CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in ...
Keywords:
Status: NEW
Alias: CVE-2023-32006
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2233387 2233388 2233389 2233390 2233391 2233392 2233393 2230968 2230969 2230970 2230971 2233384 2233385 2233386 2233895 2233896 2234406 2234411 2236092 2236104 2236140
Blocks: 2230962
TreeView+ depends on / blocked
 
Reported: 2023-08-10 10:04 UTC by Mauro Matteo Cascella
Modified: 2024-02-01 09:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5402 0 None None None 2023-09-28 15:26:49 UTC
Red Hat Product Errata RHBA-2023:5404 0 None None None 2023-09-28 18:27:20 UTC
Red Hat Product Errata RHBA-2023:5409 0 None None None 2023-10-02 08:11:39 UTC
Red Hat Product Errata RHBA-2023:5420 0 None None None 2023-10-03 15:11:30 UTC
Red Hat Product Errata RHBA-2023:5680 0 None None None 2023-10-12 08:11:58 UTC
Red Hat Product Errata RHBA-2023:5779 0 None None None 2023-10-17 09:26:55 UTC
Red Hat Product Errata RHSA-2023:5360 0 None None None 2023-09-26 14:52:10 UTC
Red Hat Product Errata RHSA-2023:5361 0 None None None 2023-09-26 14:50:41 UTC
Red Hat Product Errata RHSA-2023:5362 0 None None None 2023-09-26 14:58:50 UTC
Red Hat Product Errata RHSA-2023:5363 0 None None None 2023-09-26 14:51:37 UTC
Red Hat Product Errata RHSA-2023:5532 0 None None None 2023-10-09 10:27:01 UTC
Red Hat Product Errata RHSA-2023:5533 0 None None None 2023-10-09 10:26:50 UTC

Description Mauro Matteo Cascella 2023-08-10 10:04:22 UTC 
The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006
Comment 3 Sandipan Roy 2023-08-22 07:11:35 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2233388]
Affects: fedora-37 [bug 2233384]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2233390]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2233391]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2233392]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233389]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233386]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233387]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2233393]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233385]
Comment 4 errata-xmlrpc 2023-09-26 14:50:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361
Comment 5 errata-xmlrpc 2023-09-26 14:51:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363
Comment 6 errata-xmlrpc 2023-09-26 14:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360
Comment 7 errata-xmlrpc 2023-09-26 14:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362
Comment 8 errata-xmlrpc 2023-10-09 10:26:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
Comment 9 errata-xmlrpc 2023-10-09 10:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532
Note You need to log in before you can comment on or make changes to this bug.