#VU77603 Permissions, Privileges, and Access Controls in Node.js - CVE-2023-30586


Vulnerability identifier: #VU77603

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-30586

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to application allows loading arbitrary OpenSSL engines when the experimental permission model is enabled. A remote user can use the crypto.setEngine() API to bypass the permission model when called with a compatible OpenSSL engine and disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 20.0.0, 20.1.0, 20.2.0, 20.3.0

External links
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Node.js
Multiple vulnerabilities in IBM Spectrum Control
Multiple vulnerabilities in IBM Watson Discovery Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Business Automation Workflow
Anolis OS update for noslate-anode
Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration
Multiple vulnerabilities in Oracle Solaris third-party software
Multiple vulnerabilities in IBM Voice Gateway
Multiple vulnerabilities in Node.js