{
  "threat_severity" : "Moderate",
  "public_date" : "2023-08-09T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: Permissions policies can be bypassed via process.binding",
    "id" : "2230956",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2230956"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file." ],
  "statement" : "When this CVE was reported, the policy.json file was still experimental in nature and not deployed and widely in environments,which is why at the time when this CVE was submitted,Redhat chose to classify this as moderare.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5360",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:16-8080020230906092006.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5362",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:18-8080020230825111344.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5361",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "nodejs:16-8060020230906023909.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-09-26T00:00:00Z",
    "advisory" : "RHSA-2023:5363",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:18-9020020230825081254.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-10-09T00:00:00Z",
    "advisory" : "RHSA-2023:5532",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs-1:16.20.2-1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2023-10-09T00:00:00Z",
    "advisory" : "RHSA-2023:5533",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.0",
    "package" : "nodejs-1:16.20.2-1.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs14-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32559\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32559\nhttps://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559" ],
  "name" : "CVE-2023-32559",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}