Skip to content

Commit 59d129b

Browse files
mattstern31mattstern31
committed
vuln: add recent vulnerabilities (#1069)
1 parent 32a25c0 commit 59d129b

File tree

8 files changed

+140
-0
lines changed

8 files changed

+140
-0
lines changed

vuln/core/118.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32002"],
3+
"vulnerable": "16.x || 18.x || 20.x",
4+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/119.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32004"],
3+
"vulnerable": "20.x",
4+
"patched": "^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/120.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32558"],
3+
"vulnerable": "20.x",
4+
"patched": "^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/121.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32006"],
3+
"vulnerable": "16.x || 18.x || 20.x",
4+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/122.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32559"],
3+
"vulnerable": "16.x || 18.x || 20.x",
4+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/123.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32005"],
3+
"vulnerable": "20.x",
4+
"patched": "^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/124.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"cve": ["CVE-2023-32003"],
3+
"vulnerable": "20.x",
4+
"patched": "^20.5.1",
5+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
6+
"overview": "fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack.",
7+
"affectedEnvironments": ["all"]
8+
}

vuln/core/index.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1462,5 +1462,89 @@
14621462
"affectedEnvironments": [
14631463
"all"
14641464
]
1465+
},
1466+
"118": {
1467+
"cve": [
1468+
"CVE-2023-32002"
1469+
],
1470+
"vulnerable": "16.x || 18.x || 20.x",
1471+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
1472+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1473+
"overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
1474+
"affectedEnvironments": [
1475+
"all"
1476+
]
1477+
},
1478+
"119": {
1479+
"cve": [
1480+
"CVE-2023-32004"
1481+
],
1482+
"vulnerable": "20.x",
1483+
"patched": "^20.5.1",
1484+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1485+
"overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.",
1486+
"affectedEnvironments": [
1487+
"all"
1488+
]
1489+
},
1490+
"120": {
1491+
"cve": [
1492+
"CVE-2023-32558"
1493+
],
1494+
"vulnerable": "20.x",
1495+
"patched": "^20.5.1",
1496+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1497+
"overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.",
1498+
"affectedEnvironments": [
1499+
"all"
1500+
]
1501+
},
1502+
"121": {
1503+
"cve": [
1504+
"CVE-2023-32006"
1505+
],
1506+
"vulnerable": "16.x || 18.x || 20.x",
1507+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
1508+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1509+
"overview": "The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
1510+
"affectedEnvironments": [
1511+
"all"
1512+
]
1513+
},
1514+
"122": {
1515+
"cve": [
1516+
"CVE-2023-32559"
1517+
],
1518+
"vulnerable": "16.x || 18.x || 20.x",
1519+
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
1520+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1521+
"overview": "The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.",
1522+
"affectedEnvironments": [
1523+
"all"
1524+
]
1525+
},
1526+
"123": {
1527+
"cve": [
1528+
"CVE-2023-32005"
1529+
],
1530+
"vulnerable": "20.x",
1531+
"patched": "^20.5.1",
1532+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1533+
"overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.",
1534+
"affectedEnvironments": [
1535+
"all"
1536+
]
1537+
},
1538+
"124": {
1539+
"cve": [
1540+
"CVE-2023-32003"
1541+
],
1542+
"vulnerable": "20.x",
1543+
"patched": "^20.5.1",
1544+
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
1545+
"overview": "fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack.",
1546+
"affectedEnvironments": [
1547+
"all"
1548+
]
14651549
}
14661550
}

0 commit comments

Comments
 (0)