CVE-2023-32006

2023-08-1516:15:11

Debian Security Bug Tracker

security-tracker.debian.org

cve-2023-32006

module constructor createrequire

policy mechanism

policy.json

node.js

experimental feature

vulnerability

unix

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.3%

JSON

The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

OSVersionArchitecturePackageVersionFilename
Debian12allnodejs< 18.19.0+dfsg-6~deb12u1nodejs_18.19.0+dfsg-6~deb12u1_all.deb
Debian11allnodejs<= 12.22.12~dfsg-1~deb11u4nodejs_12.22.12~dfsg-1~deb11u4_all.deb
Debian10allnodejs< 10.24.0~dfsg-1~deb10u1nodejs_10.24.0~dfsg-1~deb10u1_all.deb
Debian999allnodejs< 18.13.0+dfsg1-1.1nodejs_18.13.0+dfsg1-1.1_all.deb
Debian13allnodejs< 18.13.0+dfsg1-1.1nodejs_18.13.0+dfsg1-1.1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nodejs	< 18.19.0+dfsg-6~deb12u1	nodejs_18.19.0+dfsg-6~deb12u1_all.deb
Debian	11	all	nodejs	<= 12.22.12~dfsg-1~deb11u4	nodejs_12.22.12~dfsg-1~deb11u4_all.deb
Debian	10	all	nodejs	< 10.24.0~dfsg-1~deb10u1	nodejs_10.24.0~dfsg-1~deb10u1_all.deb
Debian	999	all	nodejs	< 18.13.0+dfsg1-1.1	nodejs_18.13.0+dfsg1-1.1_all.deb
Debian	13	all	nodejs	< 18.13.0+dfsg1-1.1	nodejs_18.13.0+dfsg1-1.1_all.deb