CVE-2023-32559 – nodejs: Permissions policies can be bypassed via process.binding
https://notcve.org/view.php?id=CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. Existe una vulnerabilidad de escalada de privilegios en el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. El uso de la API obsoleta 'process.binding()' puede omitir el mecanismo de la política al requerir módulos internos y, finalmente, aprovechar 'process.binding('spawn_sync')' ejecutar código arbitrario, fuera de los límites definidos en un archivo 'policy.json'. • https://hackerone.com/reports/1946470 https://security.netapp.com/advisory/ntap-20231006-0006 https://access.redhat.com/security/cve/CVE-2023-32559 https://bugzilla.redhat.com/show_bug.cgi?id=2230956 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •
CVE-2023-32002 – nodejs: Permissions policies can be bypassed via Module._load
https://notcve.org/view.php?id=CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. El uso de 'Module._load()' puede omitir el mecanismo de políticas y requerir módulos fuera de la definición policy.json para un módulo determinado. Esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. • https://hackerone.com/reports/1960870 https://security.netapp.com/advisory/ntap-20230915-0009 https://access.redhat.com/security/cve/CVE-2023-32002 https://bugzilla.redhat.com/show_bug.cgi?id=2230948 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents •
CVE-2023-32006 – nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()
https://notcve.org/view.php?id=CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. El uso de 'module.constructor.createRequire()' puede omitir el mecanismo de políticas y requerir módulos fuera de la definición policy.json para un módulo determinado. Esta vulnerabilidad afecta a todos los usuarios que usan el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. Tenga en cuenta que en el momento en que se emitió este CVE, la política es una característica experimental de Node.js. A vulnerability was found in NodeJS. • https://hackerone.com/reports/2043807 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX https://security.netapp.com/advisory/ntap-20230915-0009 https://access.redhat.com/security/cve/CVE-2023-32006 https://bugzilla.redhat.com/show_bug.cgi?id=2230955 • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVE-2023-30581 – nodejs: mainModule.proto bypass experimental policy mechanism
https://notcve.org/view.php?id=CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js El uso de __proto__ en process.mainModule.__proto__.require() puede omitir el mecanismo de políticas y requerir módulos fuera de la definición de policy.json. Esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de política experimental en todas las líneas de lanzamiento activas: v16, v18 y v20. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases https://access.redhat.com/security/cve/CVE-2023-30581 https://bugzilla.redhat.com/show_bug.cgi?id=2219824 •
CVE-2023-30588 – nodejs: process interuption due to invalid Public Key information in x509 certificates
https://notcve.org/view.php?id=CVE-2023-30588
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. Cuando se utiliza una clave pública no válida para crear x509 certificates utilizando la API crypto.X509Certificate(), se produce una terminación no esperada que la hace susceptible a ataques DoS cuando el atacante podría forzar interrupciones en el procesamiento de la aplicación, ya que el proceso finaliza al acceder a la información de clave pública de los certificados proporcionados desde el código de usuario. El contexto actual de los usuarios desaparecerá y eso provocará un escenario DoS. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2023-30588 https://bugzilla.redhat.com/show_bug.cgi?id=2219838 •