Bug 1208481 (CVE-2023-23918) - VUL-0: CVE-2023-23918: nodejs: permissions policies can be bypassed via process.mainModule
Summary: VUL-0: CVE-2023-23918: nodejs: permissions policies can be bypassed via proce...
Status: RESOLVED FIXED
Alias: CVE-2023-23918
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/357712/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-23918:6.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-20 09:20 UTC by Carlos López
Modified: 2023-08-28 16:30 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-02-20 09:20:15 UTC
CVE-2023-23918

It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

Thank you, to @goums for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

Impacts:
All versions of the 19.x, 18.x, 16.x, and 14.x release lines.

References:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
Comment 3 OBSbugzilla Bot 2023-02-22 16:35:04 UTC
This is an autogenerated message for OBS integration:
This bug (1208481) was mentioned in
https://build.opensuse.org/request/show/1067186 Factory / nodejs19
https://build.opensuse.org/request/show/1067187 Factory / nodejs18
Comment 6 Maintenance Automation 2023-03-03 12:30:09 UTC
SUSE-SU-2023:0609-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487
CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807
Sources used:
Web and Scripting Module 12 (src): nodejs16-16.19.1-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-03-03 12:30:14 UTC
SUSE-SU-2023:0608-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487
CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807
Sources used:
openSUSE Leap 15.4 (src): nodejs16-16.19.1-150400.3.15.1
Web and Scripting Module 15-SP4 (src): nodejs16-16.19.1-150400.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-03-03 12:30:19 UTC
SUSE-SU-2023:0607-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1208481, 1208487
CVE References: CVE-2023-23918, CVE-2023-23920
Sources used:
Web and Scripting Module 12 (src): nodejs14-14.21.3-6.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-03-08 16:30:12 UTC
SUSE-SU-2023:0674-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1208481, 1208487
CVE References: CVE-2023-23918, CVE-2023-23920
Sources used:
openSUSE Leap 15.4 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Manager Server 4.2 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Enterprise Storage 7.1 (src): nodejs14-14.21.3-150200.15.43.1
SUSE Enterprise Storage 7 (src): nodejs14-14.21.3-150200.15.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-03-08 16:30:15 UTC
SUSE-SU-2023:0673-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487
CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.19.1-150300.7.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1
SUSE Manager Server 4.2 (src): nodejs16-16.19.1-150300.7.18.1
SUSE Enterprise Storage 7.1 (src): nodejs16-16.19.1-150300.7.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-03-13 12:30:02 UTC
SUSE-SU-2023:0715-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1208413, 1208481, 1208483, 1208485, 1208487
CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807
Sources used:
Web and Scripting Module 12 (src): nodejs18-18.14.2-8.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-03-15 08:30:01 UTC
SUSE-SU-2023:0738-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1208413, 1208481, 1208483, 1208485, 1208487
CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807
Sources used:
openSUSE Leap 15.4 (src): nodejs18-18.14.2-150400.9.6.2
Web and Scripting Module 15-SP4 (src): nodejs18-18.14.2-150400.9.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Carlos López 2023-08-28 08:08:22 UTC
Done, closing.
Comment 17 Maintenance Automation 2023-08-28 16:30:15 UTC
SUSE-SU-2023:3455-1: An update that solves seven vulnerabilities can now be installed.

Category: security (important)
Bug References: 1208481, 1212574, 1212582, 1212583, 1214150, 1214154, 1214156
CVE References: CVE-2023-23918, CVE-2023-30581, CVE-2023-30589, CVE-2023-30590, CVE-2023-32002, CVE-2023-32006, CVE-2023-32559
Sources used:
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Manager Server 4.2 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Enterprise Storage 7.1 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Enterprise Storage 7 (src): nodejs12-12.22.12-150200.4.50.1
openSUSE Leap 15.4 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs12-12.22.12-150200.4.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs12-12.22.12-150200.4.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.