Bugzilla – Bug 1212580
VUL-0: CVE-2023-30586: nodejs20: OpenSSL engines can be used to bypass the permission model
Last modified: 2024-05-24 10:39:05 UTC
OpenSSL engines can be used to bypass the permission model (Medium) (CVE-2023-30586) Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nießen for reporting this vulnerability and fixing it. https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
This is an autogenerated message for OBS integration: This bug (1212580) was mentioned in https://build.opensuse.org/request/show/1094364 Factory / nodejs20
This should be fixed in all affected versions (nodejs20). Reassigning to security team for tracking
All done, closing.