CVE-2023-23918

Name
CVE-2023-23918
Description
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
CONFIRM https://security.netapp.com/advisory/ntap-20230316-0008/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 14.0.0 <= 14.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 <= 16.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 18.0.0 <= 18.11.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 18.0.0 < 18.14.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 16.0.0 < 16.19.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 19.0.0 < 19.6.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 14.0.0 < 14.21.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs 3.14-main 14.21.3-r0 Jakub Jirutka <jakub@jirutka.cz> fixed