Bug 2244418 (CVE-2023-39333) - CVE-2023-39333 nodejs: code injection via WebAssembly export names
Summary: CVE-2023-39333 nodejs: code injection via WebAssembly export names
Keywords:
Status: NEW
Alias: CVE-2023-39333
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2244476 2244478 2244480 2244482 2244484 2244490 2244491 2244465 2244486 2244488 2244489
Blocks: 2244419
TreeView+ depends on / blocked
 
Reported: 2023-10-16 12:46 UTC by Dhananjay Arunesh
Modified: 2024-02-01 09:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5906 0 None None None 2023-10-19 08:21:57 UTC
Red Hat Product Errata RHBA-2023:6074 0 None None None 2023-10-24 10:36:12 UTC
Red Hat Product Errata RHSA-2023:5849 0 None None None 2023-10-18 16:21:30 UTC
Red Hat Product Errata RHSA-2023:5869 0 None None None 2023-10-18 23:09:53 UTC
Red Hat Product Errata RHSA-2023:7205 0 None None None 2023-11-14 16:55:23 UTC

Description Dhananjay Arunesh 2023-10-16 12:46:46 UTC 
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 2 Dhananjay Arunesh 2023-10-16 14:57:31 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2244476]
Affects: fedora-37 [bug 2244489]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2244480]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2244484]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2244478]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244491]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244488]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244490]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2244482]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244486]
Comment 6 errata-xmlrpc 2023-10-18 16:21:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5849 https://access.redhat.com/errata/RHSA-2023:5849
Comment 8 errata-xmlrpc 2023-10-18 23:09:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5869 https://access.redhat.com/errata/RHSA-2023:5869
Comment 9 errata-xmlrpc 2023-11-14 16:55:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
Note You need to log in before you can comment on or make changes to this bug.