Source: nodejs Version: 18.13.0+dfsg1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for nodejs. CVE-2023-23918[0]: | A privilege escalation vulnerability exists in Node.js <19.6.1, | <18.14.1, <16.19.1 and <14.21.3 that made it possible to | bypass the experimental Permissions | (https://nodejs.org/api/permissions.html) feature in Node.js and | access non authorized modules by using process.mainModule.require(). | This only affects users who had enabled the experimental permissions | option with --experimental-policy. CVE-2023-23919[1]: | A cryptographic vulnerability exists in Node.js <19.2.0, | <18.14.1, <16.19.1, <14.21.3 that in some cases did does not | clear the OpenSSL error stack after operations that may set it. This | may lead to false positive errors during subsequent cryptographic | operations that happen to be on the same thread. This in turn could be | used to cause a denial of service. CVE-2023-23920[2]: | An untrusted search path vulnerability exists in Node.js. <19.6.1, | <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker | to search and potentially load ICU data when running with elevated | privileges. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23918 https://www.cve.org/CVERecord?id=CVE-2023-23918 [1] https://security-tracker.debian.org/tracker/CVE-2023-23919 https://www.cve.org/CVERecord?id=CVE-2023-23919 [2] https://security-tracker.debian.org/tracker/CVE-2023-23920 https://www.cve.org/CVERecord?id=CVE-2023-23920 Please adjust the affected versions in the BTS as needed. Regards, Salvatore