Lucene search

K
redhatRedHatRHSA-2023:5360
HistorySep 26, 2023 - 2:25 p.m.

(RHSA-2023:5360) Important: nodejs:16 security, bug fix, and enhancement update

2023-09-2614:25:50
access.redhat.com
34
node.js
javascript
security
bug fix
upgrade
cve-2023-32002
cve-2022-25883
cve-2023-32006
cve-2023-32559
bz#2233891
bz#2237394

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.3%

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16). (BZ#2233891)

Security Fix(es):

  • nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)

  • nodejs-semver: Regular expression denial of service (CVE-2022-25883)

  • nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)

  • nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • nodejs:16/nodejs: nodejs.prov doesn’t generate the bundled dependency for modules starting @ like @colors/colors (BZ#2237394)

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.3%