{
  "threat_severity" : "Important",
  "public_date" : "2023-08-09T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()",
    "id" : "2230955",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2230955"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-213",
  "details" : [ "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5360",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:16-8080020230906092006.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5362",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:18-8080020230825111344.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5361",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "nodejs:16-8060020230906023909.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5363",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:18-9020020230825081254.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-10-09T00:00:00Z",
    "advisory" : "RHSA-2023:5532",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs-1:16.20.2-1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2023-10-09T00:00:00Z",
    "advisory" : "RHSA-2023:5533",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.0",
    "package" : "nodejs-1:16.20.2-1.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs14-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32006\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32006\nhttps://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006" ],
  "name" : "CVE-2023-32006",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}