[Pkg-javascript-devel] Bug#1031834: nodejs: CVE-2023-23918 CVE-2023-23919 CVE-2023-23920

[Salvatore Bonaccorso]

Source: nodejs
Version: 18.13.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2023-23918[0]:
| A privilege escalation vulnerability exists in Node.js <19.6.1,
| <18.14.1, <16.19.1 and <14.21.3 that made it possible to
| bypass the experimental Permissions
| (https://nodejs.org/api/permissions.html) feature in Node.js and
| access non authorized modules by using process.mainModule.require().
| This only affects users who had enabled the experimental permissions
| option with --experimental-policy.


CVE-2023-23919[1]:
| A cryptographic vulnerability exists in Node.js <19.2.0,
| <18.14.1, <16.19.1, <14.21.3 that in some cases did does not
| clear the OpenSSL error stack after operations that may set it. This
| may lead to false positive errors during subsequent cryptographic
| operations that happen to be on the same thread. This in turn could be
| used to cause a denial of service.


CVE-2023-23920[2]:
| An untrusted search path vulnerability exists in Node.js. <19.6.1,
| <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker
| to search and potentially load ICU data when running with elevated
| privileges.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-23918
    https://www.cve.org/CVERecord?id=CVE-2023-23918
[1] https://security-tracker.debian.org/tracker/CVE-2023-23919
    https://www.cve.org/CVERecord?id=CVE-2023-23919
[2] https://security-tracker.debian.org/tracker/CVE-2023-23920
    https://www.cve.org/CVERecord?id=CVE-2023-23920

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore