Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

nodejs: CVE-2023-39333 CVE-2023-38552

Related Vulnerabilities: CVE-2023-39333   CVE-2023-38552  

Source

Debian Bug report logs - #1054892
nodejs: CVE-2023-39333 CVE-2023-38552

version graph

Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 28 Oct 2023 07:39:01 UTC

Severity: grave

Tags: security, upstream

Found in version nodejs/18.13.0+dfsg1-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>:
Bug#1054892; Package src:nodejs. (Sat, 28 Oct 2023 07:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>. (Sat, 28 Oct 2023 07:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nodejs: CVE-2023-39333 CVE-2023-38552
Date: Sat, 28 Oct 2023 09:36:57 +0200
Source: nodejs
Version: 18.13.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2023-39333[0]:
| Code injection via WebAssembly export names


CVE-2023-38552[1]:
| When the Node.js policy feature checks the integrity of a resource
| against a trusted manifest, the application can intercept the
| operation and return a forged checksum to the node's policy
| implementation, thus effectively disabling the integrity check.
| Impacts: This vulnerability affects all users using the experimental
| policy mechanism in all active release lines: 18.x and, 20.x. Please
| note that at the time this CVE was issued, the policy mechanism is
| an experimental feature of Node.js.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-39333
    https://www.cve.org/CVERecord?id=CVE-2023-39333
[1] https://security-tracker.debian.org/tracker/CVE-2023-38552
    https://www.cve.org/CVERecord?id=CVE-2023-38552
[2] https://nodejs.org/en/blog/vulnerability/october-2023-security-releases

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Oct 28 17:54:57 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started