CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-32006 – nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()
https://notcve.org/view.php?id=CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. El uso de 'module.constructor.createRequire()' puede omitir el mecanismo de políticas y requerir módulos fuera de la definición policy.json para un módulo determinado. Esta vulnerabilidad afecta a todos los usuarios que usan el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. Tenga en cuenta que en el momento en que se emitió este CVE, la política es una característica experimental de Node.js. A vulnerability was found in NodeJS. • https://hackerone.com/reports/2043807 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX https://security.netapp.com/advisory/ntap-20230915-0009 https://access.redhat.com/security/cve/CVE-2023-32006 https://bugzilla.redhat.com/show_bug.cgi?id=2230955 • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30581 – nodejs: mainModule.proto bypass experimental policy mechanism
https://notcve.org/view.php?id=CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js El uso de __proto__ en process.mainModule.__proto__.require() puede omitir el mecanismo de políticas y requerir módulos fuera de la definición de policy.json. Esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de política experimental en todas las líneas de lanzamiento activas: v16, v18 y v20. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases https://access.redhat.com/security/cve/CVE-2023-30581 https://bugzilla.redhat.com/show_bug.cgi?id=2219824 •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30588 – nodejs: process interuption due to invalid Public Key information in x509 certificates
https://notcve.org/view.php?id=CVE-2023-30588
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. Cuando se utiliza una clave pública no válida para crear x509 certificates utilizando la API crypto.X509Certificate(), se produce una terminación no esperada que la hace susceptible a ataques DoS cuando el atacante podría forzar interrupciones en el procesamiento de la aplicación, ya que el proceso finaliza al acceder a la información de clave pública de los certificados proporcionados desde el código de usuario. El contexto actual de los usuarios desaparecerá y eso provocará un escenario DoS. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2023-30588 https://bugzilla.redhat.com/show_bug.cgi?id=2219838 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30590 – nodejs: DiffieHellman do not generate keys after setting a private key
https://notcve.org/view.php?id=CVE-2023-30590
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad. La función API generateKeys() devuelta por crypto.createDiffieHellman() solo genera claves faltantes (o desactualizadas), es decir, solo genera una clave privada si aún no se ha configurado ninguna, pero la función también es necesaria para calcular la clave pública correspondiente. después de llamar a setPrivateKey(). Sin embargo, la documentación dice que esta llamada API: "Genera valores de clave Diffie-Hellman públicos y privados". El comportamiento documentado es muy diferente del comportamiento real, y esta diferencia podría conducir fácilmente a problemas de seguridad en las aplicaciones que utilizan estas API, ya que DiffieHellman puede usarse como base para la seguridad a nivel de aplicación; en consecuencia, las implicaciones son amplias. • https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html https://nodejs.org/en/blog/vulnerability/june-2023-security-releases https://access.redhat.com/security/cve/CVE-2023-30590 https://bugzilla.redhat.com/show_bug.cgi?id=2219842 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30586
https://notcve.org/view.php?id=CVE-2023-30586
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. • https://hackerone.com/reports/1954535 https://security.netapp.com/advisory/ntap-20230803-0008 • CWE-862: Missing Authorization •