CVE-2023-32002

nodejs: Permissions policies can be bypassed via Module._load

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

El uso de 'Module._load()' puede omitir el mecanismo de políticas y requerir módulos fuera de la definición policy.json para un módulo determinado. Esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. Tenga en cuenta que en el momento en que se emitió este CVE, la política es una característica experimental de Node.js.

A vulnerability was found in NodeJS. This security issue occurs as the use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-01 CVE Reserved
2023-08-21 CVE Published
2024-08-02 CVE Updated
2024-08-27 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents

CAPEC

References (4)

URL	Tag	Source
https://hackerone.com/reports/1960870	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230915-0009

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-32002	2023-10-09
https://bugzilla.redhat.com/show_bug.cgi?id=2230948	2023-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 16.0.0 <= 16.20.1 Search vendor "Nodejs" for product "Node.js" and version " >= 16.0.0 <= 16.20.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 18.0.0 <= 18.17.0 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 <= 18.17.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 20.0.0 <= 20.5.0 Search vendor "Nodejs" for product "Node.js" and version " >= 20.0.0 <= 20.5.0"		-		Affected