Bug 1214155 (CVE-2023-32558) - VUL-0: CVE-2023-32558: nodejs20: process.binding() can bypass the permission model through path traversal
Summary: VUL-0: CVE-2023-32558: nodejs20: process.binding() can bypass the permission ...
Status: RESOLVED FIXED
Alias: CVE-2023-32558
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/374912/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-10 12:09 UTC by Robert Frohl
Modified: 2024-05-24 09:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-08-10 12:09:14 UTC 
CVE-2023-32558

The use of the deprecated API process.binding() can bypass the permission model through path traversal. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32558
https://bugzilla.redhat.com/show_bug.cgi?id=2230952
Comment 1 OBSbugzilla Bot 2023-08-10 15:55:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1214155) was mentioned in
https://build.opensuse.org/request/show/1103349 Factory / nodejs20
Comment 6 Robert Frohl 2024-05-24 09:04:30 UTC 
done, closing