Vulnerability-Lookup

CVE-2023-23918 (GCVE-0-2023-23918)

Vulnerability from cvelistv5 – Published: 2023-02-23 00:00 – Updated: 2025-05-08 16:15

Summary

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Privilege Escalation (CAPEC-233)

Assigner

hackerone

References

2 references

URL	Tags
https://nodejs.org/en/blog/vulnerability/february…
https://security.netapp.com/advisory/ntap-2023031…

Impacted products

1 product

Vendor	Product	Version
NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.21.3 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.19.1 (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.14.1 (semver) Affected: 19.0 , < 19.6.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:42:27.095Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230316-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-23918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T17:47:16.492191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T16:15:23.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.21.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.19.1",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.14.1",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.6.1",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation (CAPEC-233)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T05:55:44.344Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230316-0008/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2023-23918",
    "datePublished": "2023-02-23T00:00:00.000Z",
    "dateReserved": "2023-01-19T00:00:00.000Z",
    "dateUpdated": "2025-05-08T16:15:23.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-23918",
      "date": "2026-05-30",
      "epss": "0.0002",
      "percentile": "0.06047"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23918\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2023-02-23T20:15:13.920\",\"lastModified\":\"2025-05-08T17:16:00.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndIncluding\":\"14.14.0\",\"matchCriteriaId\":\"428DCD7B-6F66-4F18-B780-5BD80143D482\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndExcluding\":\"14.21.3\",\"matchCriteriaId\":\"DA48F3CE-68BC-43F1-9428-A9F928420081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndIncluding\":\"16.12.0\",\"matchCriteriaId\":\"1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.19.1\",\"matchCriteriaId\":\"6E9FAEC6-2D3A-4CBE-859F-11BCECC4F724\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"18.0.0\",\"versionEndIncluding\":\"18.11.0\",\"matchCriteriaId\":\"33DB62F6-9D8D-42F8-A75E-82DA091C02BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"18.0.0\",\"versionEndExcluding\":\"18.14.1\",\"matchCriteriaId\":\"80500AD0-17C2-4698-AE03-1C6782FD38B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"19.6.1\",\"matchCriteriaId\":\"8F4FCD16-4B9F-44B9-80DD-D024759CAB10\"}]}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230316-0008/\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230316-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230316-0008/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:42:27.095Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23918\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-12T17:47:16.492191Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-12T17:46:30.801Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"NodeJS\", \"product\": \"Node\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0\", \"lessThan\": \"4.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.0\", \"lessThan\": \"5.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"7.0\", \"lessThan\": \"7.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0\", \"lessThan\": \"8.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0\", \"lessThan\": \"9.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.0\", \"lessThan\": \"10.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"11.0\", \"lessThan\": \"11.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0\", \"lessThan\": \"12.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"13.0\", \"lessThan\": \"13.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"14.0\", \"lessThan\": \"14.21.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"15.0\", \"lessThan\": \"15.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"16.0\", \"lessThan\": \"16.19.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"17.0\", \"lessThan\": \"17.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.0\", \"lessThan\": \"18.14.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"19.0\", \"lessThan\": \"19.6.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230316-0008/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Privilege Escalation (CAPEC-233)\"}]}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2025-04-30T05:55:44.344Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23918\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-08T16:15:23.012Z\", \"dateReserved\": \"2023-01-19T00:00:00.000Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2023-02-23T00:00:00.000Z\", \"assignerShortName\": \"hackerone\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

alsa-2023:1582

Vulnerability from osv_almalinux

Published

2023-04-04 00:00

Modified

2023-04-20 12:04

Summary

Moderate: nodejs:16 security, bug fix, and enhancement update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16.19.1).

Security Fix(es):

glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
Node.js: OpenSSL error handling issues in nodejs crypto library (CVE-2023-23919)
Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:1582	ADVISORY
	https://access.redhat.com/security/cve/CVE-2021-35065	REPORT
	https://access.redhat.com/security/cve/CVE-2022-25881	REPORT
	https://access.redhat.com/security/cve/CVE-2022-4904	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23918	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23919	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23920	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23936	REPORT
	https://access.redhat.com/security/cve/CVE-2023-24807	REPORT
	https://bugzilla.redhat.com/2156324	REPORT
	https://bugzilla.redhat.com/2165824	REPORT
	https://bugzilla.redhat.com/2168631	REPORT
	https://bugzilla.redhat.com/2171935	REPORT
	https://bugzilla.redhat.com/2172170	REPORT
	https://bugzilla.redhat.com/2172190	REPORT
	https://bugzilla.redhat.com/2172204	REPORT
	https://bugzilla.redhat.com/2172217	REPORT
	https://errata.almalinux.org/8/ALSA-2023-1582.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.20-3.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25-1.module_el8.5.0+2605+45d748af"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:8.19.3-1.16.19.1.1.module_el8.7.0+3496+a59a3324"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (16.19.1).\n\nSecurity Fix(es):\n\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)\n* Node.js: OpenSSL error handling issues in nodejs crypto library (CVE-2023-23919)\n* Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)\n* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)\n* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:1582",
  "modified": "2023-04-20T12:04:52Z",
  "published": "2023-04-04T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:1582"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2021-35065"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-25881"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4904"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23918"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23919"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23920"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23936"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-24807"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2156324"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2165824"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2168631"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2171935"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172170"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172190"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172204"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172217"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-1582.html"
    }
  ],
  "related": [
    "CVE-2021-35065",
    "CVE-2022-4904",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23919",
    "CVE-2023-23936",
    "CVE-2023-23920",
    "CVE-2023-24807"
  ],
  "summary": "Moderate: nodejs:16 security, bug fix, and enhancement update"
}

alsa-2023:1583

Vulnerability from osv_almalinux

Published

2023-04-04 00:00

Modified

2023-04-20 12:25

Summary

Moderate: nodejs:18 security, bug fix, and enhancement update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (18.14.2).

Security Fix(es):

glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:1583	ADVISORY
	https://access.redhat.com/security/cve/CVE-2021-35065	REPORT
	https://access.redhat.com/security/cve/CVE-2022-25881	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23918	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23920	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23936	REPORT
	https://access.redhat.com/security/cve/CVE-2023-24807	REPORT
	https://bugzilla.redhat.com/2156324	REPORT
	https://bugzilla.redhat.com/2165824	REPORT
	https://bugzilla.redhat.com/2171935	REPORT
	https://bugzilla.redhat.com/2172190	REPORT
	https://bugzilla.redhat.com/2172204	REPORT
	https://bugzilla.redhat.com/2172217	REPORT
	https://errata.almalinux.org/8/ALSA-2023-1583.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.20-2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-4.module_el8.7.0+3343+ea2b7901"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-4.module_el8.7.0+3343+ea2b7901"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.5.0-1.18.14.2.2.module_el8.7.0+3497+c65299e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (18.14.2).\n\nSecurity Fix(es):\n\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)\n* Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)\n* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)\n* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:1583",
  "modified": "2023-04-20T12:25:58Z",
  "published": "2023-04-04T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:1583"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2021-35065"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-25881"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23918"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23920"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23936"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-24807"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2156324"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2165824"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2171935"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172190"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172204"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172217"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-1583.html"
    }
  ],
  "related": [
    "CVE-2021-35065",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23936",
    "CVE-2023-23920",
    "CVE-2023-24807"
  ],
  "summary": "Moderate: nodejs:18 security, bug fix, and enhancement update"
}

alsa-2023:1743

Vulnerability from osv_almalinux

Published

2023-04-12 00:00

Modified

2023-04-20 13:00

Summary

Important: nodejs:14 security, bug fix, and enhancement update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.21.3).

Security Fix(es):

decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:1743	ADVISORY
	https://access.redhat.com/security/cve/CVE-2021-35065	REPORT
	https://access.redhat.com/security/cve/CVE-2022-25881	REPORT
	https://access.redhat.com/security/cve/CVE-2022-3517	REPORT
	https://access.redhat.com/security/cve/CVE-2022-38900	REPORT
	https://access.redhat.com/security/cve/CVE-2022-4904	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23918	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23920	REPORT
	https://bugzilla.redhat.com/2134609	REPORT
	https://bugzilla.redhat.com/2156324	REPORT
	https://bugzilla.redhat.com/2165824	REPORT
	https://bugzilla.redhat.com/2168631	REPORT
	https://bugzilla.redhat.com/2170644	REPORT
	https://bugzilla.redhat.com/2171935	REPORT
	https://bugzilla.redhat.com/2172217	REPORT
	https://errata.almalinux.org/8/ALSA-2023-1743.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:14.21.3-1.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:14.21.3-1.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:14.21.3-1.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:14.21.3-1.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.20-3.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23-3.module_el8.4.0+2522+3bd42762"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.21.3).\n\nSecurity Fix(es):\n\n* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)\n* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)\n* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:1743",
  "modified": "2023-04-20T13:00:15Z",
  "published": "2023-04-12T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:1743"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2021-35065"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-25881"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-3517"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38900"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4904"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23918"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23920"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2134609"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2156324"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2165824"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2168631"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2170644"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2171935"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172217"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-1743.html"
    }
  ],
  "related": [
    "CVE-2022-38900",
    "CVE-2021-35065",
    "CVE-2022-3517",
    "CVE-2022-4904",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23920"
  ],
  "summary": "Important: nodejs:14 security, bug fix, and enhancement update"
}

alsa-2023:2654

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-11 21:13

Summary

Moderate: nodejs:18 security, bug fix, and enhancement update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (18.14.2).

Security Fix(es):

glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
Node.js: OpenSSL error handling issues in nodejs crypto library (CVE-2023-23919)
Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2654	ADVISORY
	https://access.redhat.com/security/cve/CVE-2021-35065	REPORT
	https://access.redhat.com/security/cve/CVE-2022-25881	REPORT
	https://access.redhat.com/security/cve/CVE-2022-4904	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23918	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23919	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23920	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23936	REPORT
	https://access.redhat.com/security/cve/CVE-2023-24807	REPORT
	https://bugzilla.redhat.com/2156324	REPORT
	https://bugzilla.redhat.com/2165824	REPORT
	https://bugzilla.redhat.com/2168631	REPORT
	https://bugzilla.redhat.com/2171935	REPORT
	https://bugzilla.redhat.com/2172170	REPORT
	https://bugzilla.redhat.com/2172190	REPORT
	https://bugzilla.redhat.com/2172204	REPORT
	https://bugzilla.redhat.com/2172217	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2654.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:18.14.2-2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.20-2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-4.module_el9.1.0+13+d9a595ea"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-4.module_el9.1.0+13+d9a595ea"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.5.0-1.18.14.2.2.module_el9.2.0+29+de583a0b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (18.14.2).\n\nSecurity Fix(es):\n\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)\n* Node.js: OpenSSL error handling issues in nodejs crypto library (CVE-2023-23919)\n* Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)\n* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)\n* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:2654",
  "modified": "2023-05-11T21:13:57Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2654"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2021-35065"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-25881"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4904"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23918"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23919"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23920"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23936"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-24807"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2156324"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2165824"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2168631"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2171935"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172170"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172190"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172204"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172217"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2654.html"
    }
  ],
  "related": [
    "CVE-2021-35065",
    "CVE-2022-4904",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23919",
    "CVE-2023-23936",
    "CVE-2023-23920",
    "CVE-2023-24807"
  ],
  "summary": "Moderate: nodejs:18 security, bug fix, and enhancement update"
}

alsa-2023:2655

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-11 21:02

Summary

Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16.19.1), nodejs-nodemon (2.0.20).

Security Fix(es):

c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2655	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-25881	REPORT
	https://access.redhat.com/security/cve/CVE-2022-4904	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23918	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23920	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23936	REPORT
	https://access.redhat.com/security/cve/CVE-2023-24807	REPORT
	https://bugzilla.redhat.com/2165824	REPORT
	https://bugzilla.redhat.com/2168631	REPORT
	https://bugzilla.redhat.com/2171935	REPORT
	https://bugzilla.redhat.com/2172190	REPORT
	https://bugzilla.redhat.com/2172204	REPORT
	https://bugzilla.redhat.com/2172217	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2655.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:16.19.1-1.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:8.19.3-1.16.19.1.1.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (16.19.1), nodejs-nodemon (2.0.20).\n\nSecurity Fix(es):\n\n* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)\n* Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)\n* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)\n* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:2655",
  "modified": "2023-05-11T21:02:44Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2655"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-25881"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4904"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23918"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23920"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23936"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-24807"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2165824"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2168631"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2171935"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172190"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172204"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2172217"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2655.html"
    }
  ],
  "related": [
    "CVE-2022-4904",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23936",
    "CVE-2023-23920",
    "CVE-2023-24807"
  ],
  "summary": "Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update"
}

BDU:2023-01627

Vulnerability from fstec - Published: 16.02.2023

Title

Уязвимость функции process.mainModule.require() программной платформы Node.js, позволяющая нарушителю повысить свои привилегии

Description

Уязвимость функции process.mainModule.require() программной платформы Node.js, связана с ошибками авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor

Novell Inc., Red Hat Inc., Сообщество свободного программного обеспечения, NetApp Inc., ООО «Ред Софт», Fedora Project, Node.js Foundation

Software Name

SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, Red Hat Enterprise Linux, Debian GNU/Linux, Red Hat 3scale API Management Platform, ONTAP Tools for VMware vSphere, Brocade SAN Navigator (SANnav), РЕД ОС (запись в едином реестре российских программ №3751), OpenSUSE Leap, Fedora, Node.js

Software Version

12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 8 (Red Hat Enterprise Linux), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 10 (Debian GNU/Linux), 12 (SUSE Linux Enterprise Server for SAP Applications), 2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Suse Linux Enterprise Server), - (ONTAP Tools for VMware vSphere), - (Brocade SAN Navigator (SANnav)), 7.3 (РЕД ОС), 15.4 (OpenSUSE Leap), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP4 (Suse Linux Enterprise Server), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 37 (Fedora), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3-BCL (Suse Linux Enterprise Server), 38 (Fedora), от 14.0.0 до 14.21.3 (Node.js), от 16.0.0 до 16.19.1 (Node.js), от 18.0.0 до 18.14.1 (Node.js), от 19.0.0 до 19.6.1 (Node.js)

Possible Mitigations

Использование рекомендаций: Для Node.js: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2023-23918 Для программных продуктов Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2023-23918 Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2023-23918.html Для программных продуктов Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCZGMVMOQF3IIYLXRDAMUGEYRFMODSFO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGNBZL6LNUADB3YLMTFRZU5OKREK65IC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/357Y2YWSNBYGQTIGXBE44REBOKU27PLK/ Для программных продуктов NetApp Inc: https://security.netapp.com/advisory/ntap-20230316-0008/ Для РЕД ОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://www.cybersecurity-help.cz/vdb/SB2023031610 https://github.com/nodejs/node/commit/af9140088621abd09016848f4526d66b7a81b9ba https://github.com/nodejs/node/commit/9b7db62276e4a9c97aedf91daf38bf7b7d23fee4 https://nodejs.org/en/blog/vulnerability/february-2023-security-releases https://access.redhat.com/security/cve/cve-2023-23918 https://security-tracker.debian.org/tracker/CVE-2023-23918 https://www.suse.com/security/cve/CVE-2023-23918.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCZGMVMOQF3IIYLXRDAMUGEYRFMODSFO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGNBZL6LNUADB3YLMTFRZU5OKREK65IC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/357Y2YWSNBYGQTIGXBE44REBOKU27PLK/ https://security.netapp.com/advisory/ntap-20230316-0008/ http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-264, CWE-863

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, NetApp Inc., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Fedora Project, Node.js Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 8 (Red Hat Enterprise Linux), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 10 (Debian GNU/Linux), 12 (SUSE Linux Enterprise Server for SAP Applications), 2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Suse Linux Enterprise Server), - (ONTAP Tools for VMware vSphere), - (Brocade SAN Navigator (SANnav)), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 15.4 (OpenSUSE Leap), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP4 (Suse Linux Enterprise Server), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 37 (Fedora), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3-BCL (Suse Linux Enterprise Server), 38 (Fedora), \u043e\u0442 14.0.0 \u0434\u043e 14.21.3 (Node.js), \u043e\u0442 16.0.0 \u0434\u043e 16.19.1 (Node.js), \u043e\u0442 18.0.0 \u0434\u043e 18.14.1 (Node.js), \u043e\u0442 19.0.0 \u0434\u043e 19.6.1 (Node.js)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\n\u0414\u043b\u044f Node.js:\nhttps://nodejs.org/en/blog/vulnerability/february-2023-security-releases\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2023-23918\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2023-23918\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2023-23918.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCZGMVMOQF3IIYLXRDAMUGEYRFMODSFO/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGNBZL6LNUADB3YLMTFRZU5OKREK65IC/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/357Y2YWSNBYGQTIGXBE44REBOKU27PLK/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 NetApp Inc:\nhttps://security.netapp.com/advisory/ntap-20230316-0008/\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "16.02.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "18.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "28.03.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-01627",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-23918",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, Red Hat Enterprise Linux, Debian GNU/Linux, Red Hat 3scale API Management Platform, ONTAP Tools for VMware vSphere, Brocade SAN Navigator (SANnav), \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), OpenSUSE Leap, Fedora, Node.js",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP3 , Novell Inc. Suse Linux Enterprise Server 12 SP4 , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , Novell Inc. Suse Linux Enterprise Server 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Novell Inc. OpenSUSE Leap 15.4 , Novell Inc. Suse Linux Enterprise Server 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. Suse Linux Enterprise Server 15 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Red Hat Inc. Red Hat Enterprise Linux 9 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , Fedora Project Fedora 37 , Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL , Fedora Project Fedora 38 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 process.mainModule.require() \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u044f, \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (CWE-264), \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f (CWE-863)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 process.mainModule.require() \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js, \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u0430\u0441\u0430\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0442\u0435\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u0443 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u043e\u043f\u0446\u0438\u044f \u044d\u043a\u0441\u043f\u0435\u0440\u0438\u043c\u0435\u043d\u0442\u0430\u043b\u044c\u043d\u044b\u0445 \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0441 --experimental-policy.",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.cybersecurity-help.cz/vdb/SB2023031610\nhttps://github.com/nodejs/node/commit/af9140088621abd09016848f4526d66b7a81b9ba\nhttps://github.com/nodejs/node/commit/9b7db62276e4a9c97aedf91daf38bf7b7d23fee4\nhttps://nodejs.org/en/blog/vulnerability/february-2023-security-releases\nhttps://access.redhat.com/security/cve/cve-2023-23918\nhttps://security-tracker.debian.org/tracker/CVE-2023-23918\nhttps://www.suse.com/security/cve/CVE-2023-23918.html\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCZGMVMOQF3IIYLXRDAMUGEYRFMODSFO/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGNBZL6LNUADB3YLMTFRZU5OKREK65IC/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/357Y2YWSNBYGQTIGXBE44REBOKU27PLK/\nhttps://security.netapp.com/advisory/ntap-20230316-0008/\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-264, CWE-863",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

bit-node-2023-23918

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:02

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "node",
        "purl": "pkg:bitnami/node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.21.3"
            },
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.19.1"
            },
            {
              "introduced": "18.0.0"
            },
            {
              "fixed": "18.14.1"
            },
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.6.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23918"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
      "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"
    ],
    "severity": "High"
  },
  "details": "A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.",
  "id": "BIT-node-2023-23918",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:02:19.960Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230316-0008/"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23918"
    }
  ],
  "schema_version": "1.5.0"
}

CERTFR-2023-AVI-0325

Vulnerability from certfr_avis - Published: 2023-04-19 - Updated: 2023-04-20

De multiples vulnérabilités ont été découvertes dans les produits Oracle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Java SE	Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20
Oracle	Database Server	Oracle Database Server 19c, 21c
Oracle	N/A	Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1
Oracle	PeopleSoft	Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2
Oracle	Virtualization	Oracle Virtualization versions 6.1.x antérieures à 6.1.44
Oracle	MySQL	Oracle MySQL versions 8.0.33 et antérieures
Oracle	Systems	Oracle Systems versions 10, 11
Oracle	Virtualization	Oracle Virtualization versions 7.0.x antérieures à 7.0.8
Oracle	MySQL	Oracle MySQL versions 5.7.41 et antérieures
Oracle	Weblogic	Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpuapr2023 du 18 avril 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server 19c, 21c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2",
      "product": {
        "name": "PeopleSoft",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Virtualization versions 6.1.x ant\u00e9rieures \u00e0 6.1.44",
      "product": {
        "name": "Virtualization",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle MySQL versions 8.0.33 et ant\u00e9rieures",
      "product": {
        "name": "MySQL",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Systems versions 10, 11",
      "product": {
        "name": "Systems",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Virtualization versions 7.0.x ant\u00e9rieures \u00e0 7.0.8",
      "product": {
        "name": "Virtualization",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle MySQL versions 5.7.41 et ant\u00e9rieures",
      "product": {
        "name": "MySQL",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0",
      "product": {
        "name": "Weblogic",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-21938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
    },
    {
      "name": "CVE-2023-21916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21916"
    },
    {
      "name": "CVE-2023-21985",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21985"
    },
    {
      "name": "CVE-2023-21979",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21979"
    },
    {
      "name": "CVE-2023-21986",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21986"
    },
    {
      "name": "CVE-2020-14343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14343"
    },
    {
      "name": "CVE-2023-21954",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
    },
    {
      "name": "CVE-2023-21940",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21940"
    },
    {
      "name": "CVE-2023-21939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
    },
    {
      "name": "CVE-2023-21962",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21962"
    },
    {
      "name": "CVE-2022-31160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31160"
    },
    {
      "name": "CVE-2022-45061",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
    },
    {
      "name": "CVE-2023-21917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21917"
    },
    {
      "name": "CVE-2023-21984",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21984"
    },
    {
      "name": "CVE-2023-21956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21956"
    },
    {
      "name": "CVE-2023-0215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
    },
    {
      "name": "CVE-2023-21945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21945"
    },
    {
      "name": "CVE-2022-42916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42916"
    },
    {
      "name": "CVE-2023-21966",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21966"
    },
    {
      "name": "CVE-2023-21947",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21947"
    },
    {
      "name": "CVE-2023-22002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22002"
    },
    {
      "name": "CVE-2023-21981",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21981"
    },
    {
      "name": "CVE-2023-21987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21987"
    },
    {
      "name": "CVE-2023-21977",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21977"
    },
    {
      "name": "CVE-2023-21971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21971"
    },
    {
      "name": "CVE-2023-21999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21999"
    },
    {
      "name": "CVE-2023-21928",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21928"
    },
    {
      "name": "CVE-2023-21972",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21972"
    },
    {
      "name": "CVE-2023-21960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21960"
    },
    {
      "name": "CVE-2021-37533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37533"
    },
    {
      "name": "CVE-2023-21990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21990"
    },
    {
      "name": "CVE-2023-22000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22000"
    },
    {
      "name": "CVE-2023-21913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21913"
    },
    {
      "name": "CVE-2023-23918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
    },
    {
      "name": "CVE-2021-36090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36090"
    },
    {
      "name": "CVE-2023-21963",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21963"
    },
    {
      "name": "CVE-2023-21980",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21980"
    },
    {
      "name": "CVE-2020-6950",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6950"
    },
    {
      "name": "CVE-2023-21996",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21996"
    },
    {
      "name": "CVE-2022-40152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
    },
    {
      "name": "CVE-2023-21953",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21953"
    },
    {
      "name": "CVE-2023-21934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21934"
    },
    {
      "name": "CVE-2023-22003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22003"
    },
    {
      "name": "CVE-2023-21998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21998"
    },
    {
      "name": "CVE-2022-37434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
    },
    {
      "name": "CVE-2023-21946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21946"
    },
    {
      "name": "CVE-2023-21933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21933"
    },
    {
      "name": "CVE-2023-21931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21931"
    },
    {
      "name": "CVE-2023-21937",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
    },
    {
      "name": "CVE-2022-45143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
    },
    {
      "name": "CVE-2023-21896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21896"
    },
    {
      "name": "CVE-2022-43551",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43551"
    },
    {
      "name": "CVE-2023-21964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21964"
    },
    {
      "name": "CVE-2021-22569",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
    },
    {
      "name": "CVE-2022-34169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
    },
    {
      "name": "CVE-2022-43548",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
    },
    {
      "name": "CVE-2023-21920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21920"
    },
    {
      "name": "CVE-2022-45685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
    },
    {
      "name": "CVE-2023-21918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21918"
    },
    {
      "name": "CVE-2023-21992",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21992"
    },
    {
      "name": "CVE-2023-21911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21911"
    },
    {
      "name": "CVE-2023-21976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21976"
    },
    {
      "name": "CVE-2021-31684",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
    },
    {
      "name": "CVE-2023-21968",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
    },
    {
      "name": "CVE-2023-21991",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21991"
    },
    {
      "name": "CVE-2023-21989",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21989"
    },
    {
      "name": "CVE-2023-21982",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21982"
    },
    {
      "name": "CVE-2023-21930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
    },
    {
      "name": "CVE-2023-24998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
    },
    {
      "name": "CVE-2023-21935",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21935"
    },
    {
      "name": "CVE-2020-25638",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25638"
    },
    {
      "name": "CVE-2023-21955",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21955"
    },
    {
      "name": "CVE-2023-21988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21988"
    },
    {
      "name": "CVE-2022-1471",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
    },
    {
      "name": "CVE-2022-45047",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
    },
    {
      "name": "CVE-2022-36033",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
    },
    {
      "name": "CVE-2023-21912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21912"
    },
    {
      "name": "CVE-2023-21929",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21929"
    },
    {
      "name": "CVE-2023-21967",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
    },
    {
      "name": "CVE-2023-22001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22001"
    },
    {
      "name": "CVE-2022-41881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
    },
    {
      "name": "CVE-2023-21948",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21948"
    },
    {
      "name": "CVE-2023-21919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21919"
    }
  ],
  "initial_release_date": "2023-04-19T00:00:00",
  "last_revision_date": "2023-04-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0325",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-19T00:00:00.000000"
    },
    {
      "description": "Correction coquilles.",
      "revision_date": "2023-04-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nOracle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuapr2023 du 18 avril 2023",
      "url": "https://www.oracle.com/security-alerts/cpuapr2023.html"
    }
  ]
}

CERTFR-2023-AVI-0337

Vulnerability from certfr_avis - Published: 2023-04-25 - Updated: 2023-04-25

De multiples vulnérabilités ont été découvertes dans les produits IBM. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un déni de service à distance, une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité et une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1562-s390x
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1562-ppcle
IBM	Db2	IBM Db2 versions 11.5.x antérieures à 11.5.7 sans le dernier correctif de sécurité
IBM	Db2	IBM Db2 versions 10.5.x antérieures à 10.5 FP11 sans le dernier correctif de sécurité
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1598-s390x
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1598-amd64
IBM	Db2	IBM Db2 versions 11.5.x antérieures à 11.5.8 sans le dernier correctif de sécurité
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1598-ppcle
IBM	Db2	IBM Db2 Graph versions antérieures à latest-s390x
IBM	Db2	IBM Db2 Graph versions antérieures à latest-amd64
IBM	Db2	IBM Db2 versions 11.1.x antérieures à 11.1.4 FP7 sans le dernier correctif de sécurité
IBM	Db2	IBM Db2 Graph versions antérieures à latest-ppcle
IBM	Db2	IBM Db2 Graph versions antérieures à 1.0.0.1562-amd64

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6985691 du 24 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6985689 du 24 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6985687 du 24 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6985681 du 24 avril 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1562-s390x",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1562-ppcle",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 versions 11.5.x ant\u00e9rieures \u00e0 11.5.7 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 versions 10.5.x ant\u00e9rieures \u00e0 10.5 FP11 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1598-s390x",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1598-amd64",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 versions 11.5.x ant\u00e9rieures \u00e0 11.5.8 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1598-ppcle",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 latest-s390x",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 latest-amd64",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 versions 11.1.x ant\u00e9rieures \u00e0 11.1.4 FP7 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 latest-ppcle",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 Graph versions ant\u00e9rieures \u00e0 1.0.0.1562-amd64",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-33980",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-33980"
    },
    {
      "name": "CVE-2023-23936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
    },
    {
      "name": "CVE-2023-24807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
    },
    {
      "name": "CVE-2023-29257",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29257"
    },
    {
      "name": "CVE-2023-26021",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26021"
    },
    {
      "name": "CVE-2022-37865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37865"
    },
    {
      "name": "CVE-2023-23920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
    },
    {
      "name": "CVE-2022-38749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
    },
    {
      "name": "CVE-2023-23918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
    },
    {
      "name": "CVE-2022-37866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37866"
    },
    {
      "name": "CVE-2020-8244",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
    },
    {
      "name": "CVE-2022-42889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
    },
    {
      "name": "CVE-2022-41915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41915"
    },
    {
      "name": "CVE-2022-42004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
    },
    {
      "name": "CVE-2022-25881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
    },
    {
      "name": "CVE-2022-41854",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
    },
    {
      "name": "CVE-2023-23919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
    },
    {
      "name": "CVE-2023-29255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29255"
    },
    {
      "name": "CVE-2022-25857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
    },
    {
      "name": "CVE-2022-38751",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
    },
    {
      "name": "CVE-2022-38752",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
    },
    {
      "name": "CVE-2022-38750",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
    },
    {
      "name": "CVE-2022-42003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
    },
    {
      "name": "CVE-2022-41881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
    }
  ],
  "initial_release_date": "2023-04-25T00:00:00",
  "last_revision_date": "2023-04-25T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0337",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-25T00:00:00.000000"
    },
    {
      "description": "Ajout de r\u00e9f\u00e9rence CVE",
      "revision_date": "2023-04-25T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un d\u00e9ni de service \u00e0\ndistance, une injection de code indirecte \u00e0 distance (XSS), un\ncontournement de la politique de s\u00e9curit\u00e9 et une ex\u00e9cution de code\narbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6985691 du 24 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6985691"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6985689 du 24 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6985689"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6985687 du 24 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6985687"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6985681 du 24 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6985681"
    }
  ]
}

CERTFR-2023-AVI-0504

Vulnerability from certfr_avis - Published: 2023-06-30 - Updated: 2023-06-30

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Spectrum	IBM Spectrum Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.19.0
IBM	Db2	Db2 Graph versions 1.0.0.592 à 1.0.0.1690 sans le dernier correctif de sécurité
IBM	N/A	IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions antérieures à 4.7

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7008449 du 29 juin 2023	None	vendor-advisory
Bulletin de sécurité IBM 6998815 du 28 juin 2023	None	vendor-advisory
Bulletin de sécurité IBM 7005519 du 26 juin 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Spectrum Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.19.0",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Graph versions 1.0.0.592 \u00e0 1.0.0.1690 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-43927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43927"
    },
    {
      "name": "CVE-2022-46175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
    },
    {
      "name": "CVE-2022-33980",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-33980"
    },
    {
      "name": "CVE-2023-27555",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27555"
    },
    {
      "name": "CVE-2023-25165",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25165"
    },
    {
      "name": "CVE-2022-41725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
    },
    {
      "name": "CVE-2023-23936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
    },
    {
      "name": "CVE-2019-18634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-18634"
    },
    {
      "name": "CVE-2023-24807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
    },
    {
      "name": "CVE-2023-28956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28956"
    },
    {
      "name": "CVE-2023-29257",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29257"
    },
    {
      "name": "CVE-2019-19232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19232"
    },
    {
      "name": "CVE-2023-26021",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26021"
    },
    {
      "name": "CVE-2022-37865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37865"
    },
    {
      "name": "CVE-2023-23920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
    },
    {
      "name": "CVE-2022-41716",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
    },
    {
      "name": "CVE-2019-10743",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10743"
    },
    {
      "name": "CVE-2022-38749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
    },
    {
      "name": "CVE-2023-23918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
    },
    {
      "name": "CVE-2022-37866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37866"
    },
    {
      "name": "CVE-2020-8244",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
    },
    {
      "name": "CVE-2022-42889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
    },
    {
      "name": "CVE-2023-24539",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
    },
    {
      "name": "CVE-2014-3577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3577"
    },
    {
      "name": "CVE-2022-41915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41915"
    },
    {
      "name": "CVE-2023-24532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
    },
    {
      "name": "CVE-2021-3156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
    },
    {
      "name": "CVE-2022-42004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
    },
    {
      "name": "CVE-2022-41721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41721"
    },
    {
      "name": "CVE-2023-29400",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
    },
    {
      "name": "CVE-2022-25881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
    },
    {
      "name": "CVE-2022-43548",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
    },
    {
      "name": "CVE-2023-25930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25930"
    },
    {
      "name": "CVE-2022-41854",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
    },
    {
      "name": "CVE-2022-41724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
    },
    {
      "name": "CVE-2023-23919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
    },
    {
      "name": "CVE-2023-29255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29255"
    },
    {
      "name": "CVE-2023-24540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
    },
    {
      "name": "CVE-2022-25857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
    },
    {
      "name": "CVE-2022-38751",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
    },
    {
      "name": "CVE-2023-24537",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
    },
    {
      "name": "CVE-2022-38752",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
    },
    {
      "name": "CVE-2022-43930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43930"
    },
    {
      "name": "CVE-2022-38750",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
    },
    {
      "name": "CVE-2023-27559",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27559"
    },
    {
      "name": "CVE-2022-43929",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43929"
    },
    {
      "name": "CVE-2022-42003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
    },
    {
      "name": "CVE-2022-41723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
    },
    {
      "name": "CVE-2022-1471",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
    },
    {
      "name": "CVE-2019-19234",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19234"
    },
    {
      "name": "CVE-2023-26022",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26022"
    },
    {
      "name": "CVE-2022-41881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
    }
  ],
  "initial_release_date": "2023-06-30T00:00:00",
  "last_revision_date": "2023-06-30T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0504",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-06-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7008449 du 29 juin 2023",
      "url": "https://www.ibm.com/support/pages/node/7008449"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6998815 du 28 juin 2023",
      "url": "https://www.ibm.com/support/pages/node/6998815"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7005519 du 26 juin 2023",
      "url": "https://www.ibm.com/support/pages/node/7005519"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-23918 (GCVE-0-2023-23918)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from bitnami_vulndb

Solution

Solution

Solution

Tags

Sightings

Nomenclature