A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
References
| Link | Resource |
|---|---|
| https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ | Patch Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20230316-0008/ |
Configurations
Configuration 1 (hide)
|
History
16 Mar 2023, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
03 Mar 2023, 19:44
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-863 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | (MISC) https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ - Patch, Vendor Advisory | |
| CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
|
| First Time |
Nodejs
Nodejs node.js |
23 Feb 2023, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-02-23 20:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-23918
Mitre link : CVE-2023-23918
CVE.ORG link : CVE-2023-23918
JSON object : View
Products Affected
nodejs
- node.js
CWE
CWE-863
Incorrect Authorization