The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CPENameOperatorVersion
fedoraeq37
fedoraeq38
node.jsge20.0.0
node.jsle20.5.0
node.jsge16.0.0
node.jsle16.20.1
node.jsge18.0.0
node.jsle18.17.0

Name	Operator	Version
fedora	eq	37
fedora	eq	38
node.js	ge	20.0.0
node.js	le	20.5.0
node.js	ge	16.0.0
node.js	le	16.20.1
node.js	ge	18.0.0
node.js	le	18.17.0

References

hackerone.com/reports/2043807

lists.fedoraproject.org/archives/list/[email protected]/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/

lists.fedoraproject.org/archives/list/[email protected]/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/

security.netapp.com/advisory/ntap-20230915-0009/

redhatcve 1

alpinelinux 1

ibm 16

hackerone 2

cbl_mariner 2

osv 10

nvd 1

veracode 1

cve 1

ubuntucve 1

cvelist 1

wolfi 1

debiancve 1

cgr 1

mageia 1

nessus 32

almalinux 4

rocky 2

openvas 18

ubuntu 1

oraclelinux 4

redhat 6

photon 2

fedora 6

nodejsblog 1

f5 1

debian 1

gentoo 1

ics 1

oracle 1

redhatcve

CVE-2023-32006

2023-08-22 07:19:30

alpinelinux

CVE-2023-32006

2023-08-15 16:15:11

ibm

Security Bulletin: IBM Event Streams is affected by a vulnerability in Node.js (CVE-2023-32006)

2023-11-29 22:29:57

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to security restrictions bypass

2023-10-26 11:23:21

Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

2024-02-05 15:16:41

hackerone

Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()

2023-08-09 18:34:34

Node.js: Policy-restricted modules can escalate to higher privileges by impersonating other modules in a policy list using module.constructor.createRequire()

2023-06-30 06:09:36

cbl_mariner

CVE-2023-32006 affecting package nodejs18 for versions less than 18.17.1-2

2023-09-27 18:02:50

CVE-2023-32006 affecting package nodejs for versions less than 16.20.2-2

2023-09-27 18:02:50

osv

BIT-node-2023-32006

2024-03-06 10:59:55

CVE-2023-32006

2023-08-15 16:15:11

nodejs vulnerabilities

2024-06-10 08:42:42

nvd

CVE-2023-32006

2023-08-15 16:15:11

veracode

Improper Access Control

2023-08-23 17:05:30

cve

CVE-2023-32006

2023-08-15 16:15:11

ubuntucve

CVE-2023-32006

2023-08-15 00:00:00

cvelist

CVE-2023-32006

2023-08-15 15:10:09

wolfi

CVE-2023-32006 vulnerabilities

2024-07-05 21:08:40

debiancve

CVE-2023-32006

2023-08-15 16:15:11

cgr

CVE-2023-32006 vulnerabilities

2024-05-19 03:07:16

mageia

Updated nodejs packages fix security vulnerability

2023-09-25 01:16:18

nessus

Oracle Linux 9 : nodejs (ELSA-2023-5532)

2023-10-10 00:00:00

Ubuntu 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6822-1)

2024-06-10 00:00:00

Rocky Linux 9 : nodejs (RLSA-2023:5532)

2023-10-14 00:00:00

almalinux

Important: nodejs security and bug fix update

2023-10-09 00:00:00

Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 00:00:00

Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 00:00:00

rocky

nodejs security and bug fix update

2023-10-14 02:08:35

nodejs:18 security, bug fix, and enhancement update

2023-10-05 21:35:58

openvas

Ubuntu: Security Advisory (USN-6822-1)

2024-06-11 00:00:00

openSUSE: Security Advisory for nodejs16 (SUSE-SU-2023:3379-1)

2024-03-04 00:00:00

openSUSE: Security Advisory for nodejs18 (SUSE-SU-2023:3378-1)

2024-03-04 00:00:00

ubuntu

Node.js vulnerabilities

2024-06-10 00:00:00

oraclelinux

nodejs security and bug fix update

2023-10-10 00:00:00

nodejs:16 security, bug fix, and enhancement update

2023-09-28 00:00:00

nodejs:18 security, bug fix, and enhancement update

2023-10-05 00:00:00

redhat

(RHSA-2023:5532) Important: nodejs security and bug fix update

2023-10-09 09:46:53

(RHSA-2023:5362) Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 14:27:17

(RHSA-2023:5363) Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 14:27:56

photon

Critical Photon OS Security Update - PHSA-2023-3.0-0642

2023-09-01 00:00:00

Critical Photon OS Security Update - PHSA-2023-5.0-0082

2023-08-29 00:00:00

fedora

[SECURITY] Fedora 37 Update: nodejs20-20.5.1-1.fc37

2023-08-19 00:48:29

[SECURITY] Fedora 37 Update: nodejs18-18.17.1-1.fc37

2023-08-19 00:48:28

[SECURITY] Fedora 37 Update: nodejs16-16.20.2-1.fc37

2023-08-19 00:48:28

nodejsblog

Wednesday August 9th 2023 Security Releases

2023-08-09 00:00:00

K000135997 : Multiple Node.js vulnerabilities

2023-08-28 00:00:00

debian

[SECURITY] [DSA 5589-1] nodejs security update

2023-12-27 22:12:40

gentoo

Node.js: Multiple Vulnerabilities

2024-05-08 00:00:00

ics

Siemens SINEC NMS

2024-02-15 12:00:00

oracle

Oracle Critical Patch Update Advisory - January 2024

2024-01-16 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.3%

JSON

Related for PRION:CVE-2023-32006