{ "threat_severity" : "Important", "public_date" : "2023-08-09T00:00:00Z", "bugzilla" : { "description" : "nodejs: Permissions policies can be bypassed via Module._load", "id" : "2230948", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2230948" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-213->CWE-1268", "details" : [ "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "A vulnerability was found in NodeJS. This security issue occurs as the use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module." ], "statement" : "This vulnerability is rated Important instead of Critical because it only impacts users of the policy mechanism that must be explicitly enabled using the `--experimental-policy` flag. This is not enabled by default.\nRed Hat's Secure Software Development Life Cycle utilizes a layered testing approach. This significantly increases attack complexity, because a compromised package must remain undetected for months to years in testing in upstream communities before it could be adopted into a Red Hat product. This long dwell-time reduces impact to Important.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-09-26T00:00:00Z", "advisory" : "RHSA-2023:5360", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:16-8080020230906092006.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-09-26T00:00:00Z", "advisory" : "RHSA-2023:5362", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:18-8080020230825111344.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-09-26T00:00:00Z", "advisory" : "RHSA-2023:5361", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "nodejs:16-8060020230906023909.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-09-26T00:00:00Z", "advisory" : "RHSA-2023:5363", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:18-9020020230825081254.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-10-09T00:00:00Z", "advisory" : "RHSA-2023:5532", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs-1:16.20.2-1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date" : "2023-10-09T00:00:00Z", "advisory" : "RHSA-2023:5533", "cpe" : "cpe:/a:redhat:rhel_eus:9.0", "package" : "nodejs-1:16.20.2-1.el9_0" } ], "package_state" : [ { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-nodejs14-nodejs", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32002\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32002\nhttps://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002" ], "name" : "CVE-2023-32002", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }