View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004291Rocky-Linux-8nodejspublic2023-09-19 14:072024-02-22 01:22
Reporters mile Assigned ToBrian Clemens  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0004291: nodejs version affected by multiple vulnerabilities.
DescriptionThe latest version of nodejs provided on all mirrors seems to be 18.16.1, which is affected by multiple vulnerabilities. Newer versions of nodejs escpecially the most recent of 18.18.0 as provides by nodejs.org are not available in the repository.

The vulnerabilities as reported by Nessus are:
- Permissions policies can be bypassed via Module._load (CVE-2023-32002)
- Permission model bypass by specifying a path traversal sequence in a Buffer (CVE-2023-32004)
- process.binding() can bypass the permission model through path traversal (CVE-2023-32558)
- Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
- Permissions policies can be bypassed via process.binding (CVE-2023-32559)
- fs.statfs can retrive stats from files restricted by the Permission Model (CVE-2023-32005)
- fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (CVE-2023-32003)
TagsNo tags attached.

Activities

Skip Grube

Skip Grube

2023-09-19 15:57

manager   ~0004654

Hi, thanks for your report!

Rocky Linux's stated goal is 100% version/patch parity with the upstream RHEL (Red Hat Enterprise Linux). Once an update is issued there, the Rocky project then follows suit very quickly.

I see that most of these have not yet been addressed in RHEL, like: https://access.redhat.com/security/cve/cve-2023-32002 .

Others don't seem to affect the RHEL NodeJS, and therefore will also not affect the Rocky packages either, like: https://access.redhat.com/security/cve/cve-2023-32558 .


Many of these CVEs seem to only affect NodeJS's experimental new security policy system. I'd speculate the lack of urgency around some of these updates is due to most enterprise customers not relying on the new system. But that's only my personal view of the situation - I don't know much about NodeJS all told.

Thanks, hope this helps,
- Skip
Brian Clemens

Brian Clemens

2024-02-22 01:22

QA   ~0006074

- CVE-2023-32002 - Fixed
- CVE-2023-32003 - Not affected
- CVE-2023-32004 - Not affected
- CVE-2023-32005 - Not affected
- CVE-2023-32006 - Fixed
- CVE-2023-32558 - Not affected
- CVE-2023-32558 - Fixed

Issue History

Date Modified Username Field Change
2023-09-19 14:07 s mile New Issue
2023-09-19 15:57 Skip Grube Note Added: 0004654
2024-02-22 01:11 Brian Clemens Assigned To => Brian Clemens
2024-02-22 01:11 Brian Clemens Status new => assigned
2024-02-22 01:22 Brian Clemens Status assigned => closed
2024-02-22 01:22 Brian Clemens Resolution open => fixed
2024-02-22 01:22 Brian Clemens Note Added: 0006074