Debian Nodejs vulnerabilities

CVE-2023-32002 [CRITICAL] CVE-2023-32002: nodejs - The use of `Module._load()` can bypass the policy mechanism and require modules ... The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32559 [HIGH] CVE-2023-32559: nodejs - A privilege escalation vulnerability exists in the experimental policy mechanism... A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `poli

CVE-2023-46809 [HIGH] CVE-2023-46809: nodejs - Node.js versions which bundle an unpatched version of OpenSSL or run against a d... Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. Scope: local bookworm: resolved (fixed in 18.20.4+dfsg-1~deb12u

CVE-2023-23918 [HIGH] CVE-2023-23918: nodejs - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19... A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option wi

CVE-2023-23919 [HIGH] CVE-2023-23919: nodejs - A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14... A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. Scope: loc

CVE-2023-30581 [HIGH] CVE-2023-30581: nodejs - The use of __proto__ in process.mainModule.__proto__.require() can bypass the po... The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of

CVE-2023-32006 [HIGH] CVE-2023-32006: nodejs - The use of `module.constructor.createRequire()` can bypass the policy mechanism ... The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental fe

CVE-2023-38552 [HIGH] CVE-2023-38552: nodejs - When the Node.js policy feature checks the integrity of a resource against a tru... When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 1

CVE-2023-30590 [HIGH] CVE-2023-30590: nodejs - The generateKeys() API function returned from crypto.createDiffieHellman() only ... The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diff

CVE-2023-39333 [MEDIUM] CVE-2023-39333: nodejs - Maliciously crafted export names in an imported WebAssembly module can inject Ja... Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable f

CVE-2023-23920 [MEDIUM] CVE-2023-23920: nodejs - An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16... An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. Scope: local bookworm: resolved (fixed in 18.19.0+dfsg-6~deb12u1) bullseye: resolved (fixed in 12.22.12~dfsg-1~deb11u4) forky: resolved (fixed in 18.13.0+dfsg1

CVE-2023-30588 [MEDIUM] CVE-2023-30588: nodejs - When an invalid public key is used to create an x509 certificate using the crypt... When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of th

CVE-2023-32005 [MEDIUM] CVE-2023-32005: nodejs - A vulnerability has been identified in Node.js version 20, affecting users of th... A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not h

CVE-2023-30582 [MEDIUM] CVE-2023-30582: nodejs - A vulnerability has been identified in Node.js version 20, affecting users of th... A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have expl

CVE-2023-30586 [HIGH] CVE-2023-30586: nodejs - A privilege escalation vulnerability exists in Node.js 20 that allowed loading a... A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The

CVE-2023-30583 [HIGH] CVE-2023-30583: nodejs - fs.openAsBlob() can bypass the experimental permission model when using the file... fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Scope: local bookworm: resolved bullsey

CVE-2023-30587 [HIGH] CVE-2023-30587: nodejs - A vulnerability in Node.js version 20 allows for bypassing restrictions set by t... A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructo

CVE-2023-32003 [MEDIUM] CVE-2023-32003: nodejs - `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model... `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at th

CVE-2023-39332 [HIGH] CVE-2023-39332: nodejs - Various `node:fs` functions allow specifying paths as either strings or `Uint8Ar... Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004

CVE-2023-30585 [HIGH] CVE-2023-30585: nodejs - A vulnerability has been identified in the Node.js (.msi version) installation p... A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from t