Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. References: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2244476] Affects: fedora-37 [bug 2244489] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2244480] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2244484] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2244478] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2244491] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2244488] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2244490] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2244482] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2244486]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5849 https://access.redhat.com/errata/RHSA-2023:5849
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5869 https://access.redhat.com/errata/RHSA-2023:5869
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205