View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004291||Rocky-Linux-8||nodejs||public||2023-09-19 14:07||2023-09-19 15:57|
|Reporter||s mile||Assigned To|
|Summary||0004291: nodejs version affected by multiple vulnerabilities.|
|Description||The latest version of nodejs provided on all mirrors seems to be 18.16.1, which is affected by multiple vulnerabilities. Newer versions of nodejs escpecially the most recent of 18.18.0 as provides by nodejs.org are not available in the repository.|
The vulnerabilities as reported by Nessus are:
- Permissions policies can be bypassed via Module._load (CVE-2023-32002)
- Permission model bypass by specifying a path traversal sequence in a Buffer (CVE-2023-32004)
- process.binding() can bypass the permission model through path traversal (CVE-2023-32558)
- Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
- Permissions policies can be bypassed via process.binding (CVE-2023-32559)
- fs.statfs can retrive stats from files restricted by the Permission Model (CVE-2023-32005)
- fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (CVE-2023-32003)
|Tags||No tags attached.|
Hi, thanks for your report!
Rocky Linux's stated goal is 100% version/patch parity with the upstream RHEL (Red Hat Enterprise Linux). Once an update is issued there, the Rocky project then follows suit very quickly.
I see that most of these have not yet been addressed in RHEL, like: https://access.redhat.com/security/cve/cve-2023-32002 .
Others don't seem to affect the RHEL NodeJS, and therefore will also not affect the Rocky packages either, like: https://access.redhat.com/security/cve/cve-2023-32558 .
Many of these CVEs seem to only affect NodeJS's experimental new security policy system. I'd speculate the lack of urgency around some of these updates is due to most enterprise customers not relying on the new system. But that's only my personal view of the situation - I don't know much about NodeJS all told.
Thanks, hope this helps,