CVE-2023-23918
First published: Thu Feb 16 2023(Updated: )
Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with --experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
| redhat/nodejs | <1:16.19.1-1.el9_2 | 1:16.19.1-1.el9_2 |
| redhat/rh-nodejs14 | <0:3.6-2.el7 | 0:3.6-2.el7 |
| redhat/rh-nodejs14-nodejs | <0:14.21.3-2.el7 | 0:14.21.3-2.el7 |
| Nodejs Node.js | >=14.0.0<=14.14.0 | |
| Nodejs Node.js | >=14.0.0<14.21.3 | |
| Nodejs Node.js | >=16.0.0<=16.12.0 | |
| Nodejs Node.js | >=16.0.0<16.19.1 | |
| Nodejs Node.js | >=18.0.0<=18.11.0 | |
| Nodejs Node.js | >=18.0.0<18.14.1 | |
| Nodejs Node.js | >=19.0.0<19.6.1 | |
| debian/nodejs | <=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 |
| redhat/Node.js | <19.6.1 | 19.6.1 |
| redhat/Node.js | <18.14.1 | 18.14.1 |
| redhat/Node.js | <16.19.1 | 16.19.1 |
| redhat/Node.js | <14.21.3 | 14.21.3 |
| IBM Cognos Controller | <=11.0.0 - 11.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-23918 https://nvd.nist.gov/vuln/detail/CVE-2023-23918
- https://bugzilla.redhat.com/show_bug.cgi?id=2171935
- https://access.redhat.com/errata/RHSA-2023:1582
- https://access.redhat.com/errata/RHSA-2023:1583
- https://access.redhat.com/errata/RHSA-2023:1743
- https://access.redhat.com/errata/RHSA-2023:1533
- https://access.redhat.com/errata/RHSA-2023:1742
- https://access.redhat.com/errata/RHSA-2023:2654
- https://access.redhat.com/errata/RHSA-2023:2655
- https://access.redhat.com/errata/RHSA-2023:1744
- https://access.redhat.com/security/cve/cve-2023-23918
- https://security-tracker.debian.org/tracker/CVE-2023-23918
- https://nodejs.org/api/permissions.html
- https://security-tracker.debian.org/tracker/CVE-2023-23919
- https://security-tracker.debian.org/tracker/CVE-2023-23920
- https://www.cve.org/CVERecord?id=CVE-2023-23918
- https://www.cve.org/CVERecord?id=CVE-2023-23919
- https://www.cve.org/CVERecord?id=CVE-2023-23920
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031834
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
- https://security.netapp.com/advisory/ntap-20230316-0008/
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918
- https://github.com/nodejs/node/commit/af9140088621abd09016848f4526d66b7a81b9ba
- https://github.com/nodejs/node/commit/9b7db62276e4a9c97aedf91daf38bf7b7d23fee4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172149
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172148
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172151
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172152
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172150
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172153
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172154
- https://www.ibm.com/support/pages/node/7177220 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-23918?
CVE-2023-23918 is a privilege escalation vulnerability in Node.js versions <19.6.1, <18.14.1, <16.19.1, and <14.21.3.
How can this vulnerability be exploited?
This vulnerability allows an attacker to bypass the experimental Permissions feature in Node.js and access unauthorized modules by using process.mainModule.require().
What is the severity level of CVE-2023-23918?
CVE-2023-23918 has a severity level of high.
How can I fix CVE-2023-23918?
To fix CVE-2023-23918, you need to update your Node.js version to 19.6.1 or higher, 18.14.1 or higher, 16.19.1 or higher, or 14.21.3 or higher.
Where can I find more information about CVE-2023-23918?
You can find more information about CVE-2023-23918 on the Red Hat Bugzilla website, using the following links: [link1], [link2], [link3].
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2023-23918
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/trending
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/14.0.0
- version/nodejs node.js/14.14.0
- version/nodejs node.js/16.0.0
- version/nodejs node.js/16.12.0
- version/nodejs node.js/18.0.0
- version/nodejs node.js/18.11.0
- version/nodejs node.js/19.0.0
- package-manager/debian
- vendor/ibm
- canonical/ibm cognos controller
- version/ibm cognos controller/11.0.0 - 11.0.1