Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918086 (CVE-2023-32002, CVE-2023-32003, CVE-2023-32004, CVE-2023-32005, CVE-2023-32006, CVE-2023-32558, CVE-2023-32559) - <net-libs/nodejs-{16.20.2,18.17.1,20.5.1}: multiple vulnerabilities
Summary: <net-libs/nodejs-{16.20.2,18.17.1,20.5.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-32002, CVE-2023-32003, CVE-2023-32004, CVE-2023-32005, CVE-2023-32006, CVE-2023-32558, CVE-2023-32559
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-23 17:36 UTC by John Helmert III
Modified: 2024-05-08 11:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 17:36:27 UTC
CVE-2023-32002 (https://hackerone.com/reports/1960870):

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32004 (https://hackerone.com/reports/2038134):

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVE-2023-32558 (https://hackerone.com/reports/2051257):

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. 

This vulnerability affects all users using the experimental permission model in Node.js 20.x.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVE-2023-32006 (https://hackerone.com/reports/2043807):

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32559 (https://hackerone.com/reports/1946470):

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32005 (https://hackerone.com/reports/2051224):

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVE-2023-32003 (https://hackerone.com/reports/2037887):

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

All from https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/,
fixes in 16.20.2, 18.17.1, 20.5.1.
Comment 1 Larry the Git Cow gentoo-dev 2024-05-08 11:16:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1

commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-08 11:16:15 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-08 11:16:37 +0000

    [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/772422
    Bug: https://bugs.gentoo.org/781704
    Bug: https://bugs.gentoo.org/800986
    Bug: https://bugs.gentoo.org/805053
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/811273
    Bug: https://bugs.gentoo.org/817938
    Bug: https://bugs.gentoo.org/831037
    Bug: https://bugs.gentoo.org/835615
    Bug: https://bugs.gentoo.org/857111
    Bug: https://bugs.gentoo.org/865627
    Bug: https://bugs.gentoo.org/872692
    Bug: https://bugs.gentoo.org/879617
    Bug: https://bugs.gentoo.org/918086
    Bug: https://bugs.gentoo.org/918614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)