PRIOn knowledge basePRION:CVE-2023-32559

HistoryAug 24, 2023 - 2:15 a.m.

Vulners
/
Prion
/
Privilege escalation

Privilege escalation

2023-08-2402:15:00

PRIOn knowledge base

www.prio-n.com

vulnerability

node.js

experimental policy

process binding

spawn sync

policy mechanism

arbitrary code

cve

nvd

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.3%

JSON

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CPENameOperatorVersion
node.jsge20.0.0
node.jsle20.5.0
node.jsge16.0.0
node.jsle16.20.1
node.jsge18.0.0
node.jsle18.17.0

Name	Operator	Version
node.js	ge	20.0.0
node.js	le	20.5.0
node.js	ge	16.0.0
node.js	le	16.20.1
node.js	ge	18.0.0
node.js	le	18.17.0

References

hackerone.com/reports/1946470

security.netapp.com/advisory/ntap-20231006-0006/

veracode 1

alpinelinux 1

cgr 1

ibm 17

cbl_mariner 2

cvelist 1

nvd 1

osv 10

cve 1

redhatcve 1

debiancve 1

ubuntucve 1

hackerone 1

wolfi 1

nessus 32

mageia 1

rocky 2

openvas 18

ubuntu 1

almalinux 4

oraclelinux 4

redhat 6

photon 2

fedora 6

nodejsblog 1

f5 1

debian 1

gentoo 1

ics 1

oracle 1

veracode

Privilege Escalation

2023-08-24 04:48:48

alpinelinux

CVE-2023-32559

2023-08-24 02:15:09

cgr

CVE-2023-32559 vulnerabilities

2024-05-19 03:07:16

ibm

Security Bulletin: IBM Event Streams is affected by a vulnerability in Node.js (CVE-2023-32559)

2023-11-29 22:28:49

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to security restrictions bypass

2023-10-26 11:23:21

Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

2024-02-05 15:16:41

cbl_mariner

CVE-2023-32559 affecting package nodejs18 for versions less than 18.17.1-2

2023-09-27 18:02:50

CVE-2023-32559 affecting package nodejs for versions less than 16.20.2-2

2023-09-27 18:02:50

cvelist

CVE-2023-32559

2023-08-24 01:23:29

nvd

CVE-2023-32559

2023-08-24 02:15:09

osv

CVE-2023-32559

2023-08-24 02:15:09

BIT-node-2023-32559

2024-03-06 10:59:36

nodejs vulnerabilities

2024-06-10 08:42:42

cve

CVE-2023-32559

2023-08-24 02:15:09

redhatcve

CVE-2023-32559

2023-08-22 07:49:12

debiancve

CVE-2023-32559

2023-08-24 02:15:09

ubuntucve

CVE-2023-32559

2023-08-24 00:00:00

hackerone

Node.js: Dependency Policy Bypass via process.binding

2023-04-13 23:35:52

wolfi

CVE-2023-32559 vulnerabilities

2024-07-05 21:08:40

nessus

Oracle Linux 9 : nodejs (ELSA-2023-5532)

2023-10-10 00:00:00

Ubuntu 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6822-1)

2024-06-10 00:00:00

Rocky Linux 9 : nodejs (RLSA-2023:5532)

2023-10-14 00:00:00

mageia

Updated nodejs packages fix security vulnerability

2023-09-25 01:16:18

rocky

nodejs security and bug fix update

2023-10-14 02:08:35

nodejs:18 security, bug fix, and enhancement update

2023-10-05 21:35:58

openvas

Ubuntu: Security Advisory (USN-6822-1)

2024-06-11 00:00:00

openSUSE: Security Advisory for nodejs16 (SUSE-SU-2023:3379-1)

2024-03-04 00:00:00

openSUSE: Security Advisory for nodejs18 (SUSE-SU-2023:3378-1)

2024-03-04 00:00:00

ubuntu

Node.js vulnerabilities

2024-06-10 00:00:00

almalinux

Important: nodejs security and bug fix update

2023-10-09 00:00:00

Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 00:00:00

Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 00:00:00

oraclelinux

nodejs security and bug fix update

2023-10-10 00:00:00

nodejs:16 security, bug fix, and enhancement update

2023-09-28 00:00:00

nodejs:18 security, bug fix, and enhancement update

2023-10-05 00:00:00

redhat

(RHSA-2023:5532) Important: nodejs security and bug fix update

2023-10-09 09:46:53

(RHSA-2023:5362) Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 14:27:17

(RHSA-2023:5363) Important: nodejs:18 security, bug fix, and enhancement update

2023-09-26 14:27:56

photon

Critical Photon OS Security Update - PHSA-2023-3.0-0642

2023-09-01 00:00:00

Critical Photon OS Security Update - PHSA-2023-5.0-0082

2023-08-29 00:00:00

fedora

[SECURITY] Fedora 37 Update: nodejs20-20.5.1-1.fc37

2023-08-19 00:48:29

[SECURITY] Fedora 37 Update: nodejs18-18.17.1-1.fc37

2023-08-19 00:48:28

[SECURITY] Fedora 37 Update: nodejs16-16.20.2-1.fc37

2023-08-19 00:48:28

nodejsblog

Wednesday August 9th 2023 Security Releases

2023-08-09 00:00:00

K000135997 : Multiple Node.js vulnerabilities

2023-08-28 00:00:00

debian

[SECURITY] [DSA 5589-1] nodejs security update

2023-12-27 22:12:40

gentoo

Node.js: Multiple Vulnerabilities

2024-05-08 00:00:00

ics

Siemens SINEC NMS

2024-02-15 12:00:00

oracle

Oracle Critical Patch Update Advisory - January 2024

2024-01-16 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

Privilege escalation

References

Related