Lucene search
HackeroneCVE-2023-23918HistoryFeb 23, 2023 - 8:15 p.m.
CVE-2023-23918
2023-02-2320:15:13
CWE-863
hackerone
web.nvd.nist.gov
250
cve-2023-23918
node.js
privilege escalation
vulnerability
bypass
experimental permissions
process.mainmodule.require()
non authorized modules
--experimental-policy
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
8
Confidence
High
EPSS
0.002
Percentile
53.6%
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
Affected configurations
Node
nodejsnode.jsRange14.0.0–14.14.0-
ORnodejsnode.jsRange14.0.0–14.21.3lts
ORnodejsnode.jsRange16.0.0–16.12.0-
ORnodejsnode.jsRange16.0.0–16.19.1lts
ORnodejsnode.jsRange18.0.0–18.11.0-
ORnodejsnode.jsRange18.0.0–18.14.1lts
ORnodejsnode.jsRange19.0.0–19.6.1-
CNA Affected
[
{
"vendor": "n/a",
"product": "https://github.com/nodejs/node",
"versions": [
{
"version": "Fixed in 19.6.1, 18.14.1, 16.19.1, 14.21.3",
"status": "affected"
}
]
}
]Related
hackerone
hackerone
Node.js: Permissions policies can be bypassed via process.mainModule
2022-10-24 11:29:58
nvd
nvd
CVE-2023-23918
2023-02-23 20:15:13
alpinelinux
alpinelinux
CVE-2023-23918
2023-02-23 20:15:13
cbl_mariner
cbl_mariner
CVE-2023-23918 affecting package nodejs for versions less than 16.19.1-1
2023-03-24 23:56:25
CVE-2023-23918 affecting package nodejs 14.21.1-3
2023-08-15 16:37:27
osv
osv
CVE-2023-23918
2023-02-23 20:15:13
BIT-node-2023-23918
2024-03-06 11:02:19
corepack19-19.7.0-1.1 on GA media
2024-06-15 00:00:00
nessus
nessus
CBL Mariner 2.0 Security Update: nodejs (CVE-2023-23918)
2023-03-28 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : nodejs14 (SUSE-SU-2023:0674-1)
2023-03-10 00:00:00
prion
prion
Privilege escalation
2023-02-23 20:15:00
cvelist
cvelist
CVE-2023-23918
2023-02-23 00:00:00
redhatcve
redhatcve
CVE-2023-23918
2023-02-20 22:29:19
ubuntucve
ubuntucve
CVE-2023-23918
2023-02-23 00:00:00
veracode
veracode
Improper Access Control
2023-02-18 05:20:42
debiancve
debiancve
CVE-2023-23918
2023-02-23 20:15:13
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to security restriction bypasss due to [CVE-2023-23918]
2023-04-28 11:51:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2023-03-02 00:14:31
openvas
openvas
Node.js 14.x < 14.21.3, 16.x < 16.19.1, 18.x < 18.14.1, 19.x < 19.6.1 Multiple Vulnerabilities - Mac OS X
2023-02-27 00:00:00
Node.js 14.x < 14.21.3, 16.x < 16.19.1, 18.x < 18.14.1, 19.x < 19.6.1 Multiple Vulnerabilities - Windows
2023-02-27 00:00:00
Mageia: Security Advisory (MGASA-2023-0078)
2023-03-28 00:00:00
f5
f5
K000134602 : Node.js vulnerabilities CVE-2023-23918 and CVE-2023-23920
2023-05-15 00:00:00
redhat
redhat
fedora
fedora
[SECURITY] Fedora 38 Update: nodejs20-19.8.1-7.fc38
2023-04-04 18:17:01
[SECURITY] Fedora 38 Update: nodejs16-16.20.0-2.fc38
2023-04-04 18:17:01
[SECURITY] Fedora 38 Update: nodejs18-18.15.0-6.fc38
2023-04-04 18:17:01
nodejsblog
nodejsblog
Thursday February 16 2023 Security Releases
2023-02-16 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 16.19.1-alt1
2023-03-22 00:00:00
almalinux
almalinux
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-04-04 00:00:00
Important: nodejs:14 security, bug fix, and enhancement update
2023-04-12 00:00:00
oraclelinux
oraclelinux
nodejs:18 security, bug fix, and enhancement update
2023-04-05 00:00:00
nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-05-17 00:00:00
nodejs:14 security, bug fix, and enhancement update
2023-04-12 00:00:00
rocky
rocky
nodejs:18 security, bug fix, and enhancement update
2023-04-06 15:52:43
nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-05-25 19:53:09
nodejs:14 security, bug fix, and enhancement update
2023-04-26 15:28:13
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0011
2023-05-24 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0545
2023-03-07 00:00:00
redos
redos
ROS-20240916-03
2024-09-16 00:00:00
debian
debian
[SECURITY] [DSA 5589-1] nodejs security update
2023-12-27 22:12:40
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
8
Confidence
High
EPSS
0.002
Percentile
53.6%
Related for CVE-2023-23918