CVE-2023-32559 vulnerabilities

Vulnerabilities for packages: nodejs...

ALPINE-CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsyn...

The vulnerability of the `process.mainModule.proto.require()` function in the Node.js software platform allows a attacker to compromise the integrity of the protected information.

The vulnerability of the process.mainModule.proto.require function in the Node.js software platform is related to authentication errors. Exploiting this vulnerability allows a malicious actor to compromise the integrity of protected information...

Improper Access Control

nodejs is vulnerable to Improper Access Control. This vulnerability exists due to a flaw in the way the module.constructor.createRequire API can be used to bypass the policy mechanism. An attacker can exploit this vulnerability to load modules outside of the policy...

SUSE-SU-2023:3400-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Update to LTS version 16.20.2. - CVE-2023-32002: Fixed permissions policies bypass via Module.load bsc1214150. - CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire bsc1214156. - CVE-2023-32559: Fixed...

Internet Bug Bounty: Dependency Policy Bypass via process.binding

A vulnerability was discovered in Node.js that allowed for the bypassing of permissions policies via the use of the process.binding API. This vulnerability allowed an attacker to run arbitrary code outside of the limits defined in a policy.json file. The vulnerability affected all users using the...

A vulnerability has been discovered in Node.js version 20 specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

...

SUSE-SU-2023:3379-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Update to LTS version 16.20.2. - CVE-2023-32002: Fixed permissions policies bypass via Module.load bsc1214150. - CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire bsc1214156. - CVE-2023-32559: Fixed...

CVE-2023-32559

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

CVE-2023-32006

A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Mitigation Mitigation for this issue is either not available or the currentl...

CVE-2023-32002

A vulnerability was found in NodeJS. This security issue occurs as the use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Mitigation Mitigation for this issue is either not available or the currently available options...

ALPINE-CVE-2023-32002

The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CV...

CVE-2023-32002 vulnerabilities

Vulnerabilities for packages: nodejs...

AZL-27940 CVE-2023-32002 affecting package nodejs for versions less than 16.20.2-2

The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CV...

Jenkins NodeJS Plugin improper credential masking vulnerability

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in...

GHSA-36FG-WHR2-G999 Jenkins NodeJS Plugin improper credential masking vulnerability

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in...

CVE-2023-40340

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in Pipeline build logs...

CVE-2023-40340

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in Pipeline build logs...

Design/Logic Flaw

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in Pipeline build logs...

CVE-2023-40340

Summary of CVE-2023-40340: The Jenkins NodeJS Plugin (versions ≤ 1.6.0) fails to mask credentials in the Npm config file as they appear in Pipeline build logs. This improper masking can expose credentials, per the Red Hat and NVD entries, which align on the affected plugin and version range. The ...