CVE-2023-32559

nodejs: Permissions policies can be bypassed via process.binding

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Existe una vulnerabilidad de escalada de privilegios en el mecanismo de directiva experimental en todas las líneas de versión activas: 16.x, 18.x y 20.x. El uso de la API obsoleta 'process.binding()' puede omitir el mecanismo de la política al requerir módulos internos y, finalmente, aprovechar 'process.binding('spawn_sync')' ejecutar código arbitrario, fuera de los límites definidos en un archivo 'policy.json'. Tenga en cuenta que en el momento en que se emitió este CVE, la política es una funcionalidad experimental de Node.js.

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-05-10 CVE Reserved
2023-08-24 CVE Published
2024-08-30 EPSS Updated
2024-10-03 CVE Updated
2024-10-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-269: Improper Privilege Management

CAPEC

References (4)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20231006-0006	Third Party Advisory

URL	Date	SRC
https://hackerone.com/reports/1946470	2024-10-03

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-32559	2023-10-09
https://bugzilla.redhat.com/show_bug.cgi?id=2230956	2023-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 16.0.0 <= 16.20.1 Search vendor "Nodejs" for product "Node.js" and version " >= 16.0.0 <= 16.20.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 18.0.0 <= 18.17.0 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 <= 18.17.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 20.0.0 <= 20.5.0 Search vendor "Nodejs" for product "Node.js" and version " >= 20.0.0 <= 20.5.0"		-		Affected