Bugzilla – Bug 1208481
VUL-0: CVE-2023-23918: nodejs: permissions policies can be bypassed via process.mainModule
Last modified: 2023-08-28 16:30:15 UTC
CVE-2023-23918 It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. Thank you, to @goums for reporting this vulnerability and thank you Rafael Gonzaga for fixing it. Impacts: All versions of the 19.x, 18.x, 16.x, and 14.x release lines. References: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
This is an autogenerated message for OBS integration: This bug (1208481) was mentioned in https://build.opensuse.org/request/show/1067186 Factory / nodejs19 https://build.opensuse.org/request/show/1067187 Factory / nodejs18
SUSE-SU-2023:0609-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: Web and Scripting Module 12 (src): nodejs16-16.19.1-8.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0608-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: openSUSE Leap 15.4 (src): nodejs16-16.19.1-150400.3.15.1 Web and Scripting Module 15-SP4 (src): nodejs16-16.19.1-150400.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0607-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1208481, 1208487 CVE References: CVE-2023-23918, CVE-2023-23920 Sources used: Web and Scripting Module 12 (src): nodejs14-14.21.3-6.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0674-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1208481, 1208487 CVE References: CVE-2023-23918, CVE-2023-23920 Sources used: openSUSE Leap 15.4 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Manager Server 4.2 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Enterprise Storage 7.1 (src): nodejs14-14.21.3-150200.15.43.1 SUSE Enterprise Storage 7 (src): nodejs14-14.21.3-150200.15.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0673-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Manager Server 4.2 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Enterprise Storage 7.1 (src): nodejs16-16.19.1-150300.7.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0715-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: Web and Scripting Module 12 (src): nodejs18-18.14.2-8.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0738-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: openSUSE Leap 15.4 (src): nodejs18-18.14.2-150400.9.6.2 Web and Scripting Module 15-SP4 (src): nodejs18-18.14.2-150400.9.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.
SUSE-SU-2023:3455-1: An update that solves seven vulnerabilities can now be installed. Category: security (important) Bug References: 1208481, 1212574, 1212582, 1212583, 1214150, 1214154, 1214156 CVE References: CVE-2023-23918, CVE-2023-30581, CVE-2023-30589, CVE-2023-30590, CVE-2023-32002, CVE-2023-32006, CVE-2023-32559 Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Manager Server 4.2 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Enterprise Storage 7.1 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Enterprise Storage 7 (src): nodejs12-12.22.12-150200.4.50.1 openSUSE Leap 15.4 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs12-12.22.12-150200.4.50.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs12-12.22.12-150200.4.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.