{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32006", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-05-01T01:00:12.220Z", "datePublished": "2023-08-15T15:10:09.447Z", "dateUpdated": "2024-08-02T15:03:28.787Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Node.js", "product": "Node.js", "versions": [{"version": "20.5.0", "status": "affected", "lessThanOrEqual": "20.5.0", "versionType": "semver"}, {"version": "18.17.0", "status": "affected", "lessThanOrEqual": "18.17.0", "versionType": "semver"}, {"version": "16.20.1", "status": "affected", "lessThanOrEqual": "16.20.1", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/2043807"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/"}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-08-15T15:10:09.447Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:03:28.787Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2043807", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "F7394398-D1FA-4786-B962-7D0FFF50DB2D", "versionEndIncluding": "16.20.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "7DAF267F-6FDD-4914-B37E-181B91BF8B64", "versionEndIncluding": "18.17.0", "versionStartIncluding": "18.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "145E971E-F0AF-49A7-8A9C-3AAFE01C076B", "versionEndIncluding": "20.5.0", "versionStartIncluding": "20.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}, {"lang": "es", "value": "El uso de 'module.constructor.createRequire()' puede omitir el mecanismo de pol\u00edticas y requerir m\u00f3dulos fuera de la definici\u00f3n policy.json para un m\u00f3dulo determinado. Esta vulnerabilidad afecta a todos los usuarios que usan el mecanismo de directiva experimental en todas las l\u00edneas de versi\u00f3n activas: 16.x, 18.x y 20.x. Tenga en cuenta que en el momento en que se emiti\u00f3 este CVE, la pol\u00edtica es una caracter\u00edstica experimental de Node.js."}], "id": "CVE-2023-32006", "lastModified": "2023-09-15T14:15:10.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-15T16:15:11.460", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking"], "url": "https://hackerone.com/reports/2043807"}, {"source": "support@hackerone.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/"}, {"source": "support@hackerone.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5360", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8080020230906092006.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5362", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8080020230825111344.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5361", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "nodejs:16-8060020230906023909.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5363", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9020020230825081254.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5532", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.20.2-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5533", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "nodejs-1:16.20.2-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-09T00:00:00Z"}], "bugzilla": {"description": "nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()", "id": "2230955", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2230955"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-213", "details": ["The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-32006", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-32006\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32006\nhttps://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006"], "threat_severity": "Moderate"}