apk package
chainguard/nodejs-20-doc
pkg:apk/chainguard/nodejs-20-doc
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-30581 | — | < 20.3.1-r0 | 20.3.1-r0 | Nov 22, 2023 | The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. | ||
| CVE-2023-39331 | — | < 20.8.0-r0 | 20.8.0-r0 | Oct 18, 2023 | A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl | ||
| CVE-2023-39332 | — | < 20.8.0-r0 | 20.8.0-r0 | Oct 18, 2023 | Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004) | ||
| CVE-2023-32558 | — | < 20.5.1-r0 | 20.5.1-r0 | Sep 12, 2023 | The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an | ||
| CVE-2023-32559 | — | < 20.5.1-r0 | 20.5.1-r0 | Aug 24, 2023 | A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr | ||
| CVE-2023-32002 | — | < 20.5.1-r0 | 20.5.1-r0 | Aug 21, 2023 | The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note | ||
| CVE-2023-32003 | — | < 20.5.1-r0 | 20.5.1-r0 | Aug 15, 2023 | `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects | ||
| CVE-2023-32004 | — | < 20.5.1-r0 | 20.5.1-r0 | Aug 15, 2023 | A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects | ||
| CVE-2023-32006 | — | < 20.5.1-r0 | 20.5.1-r0 | Aug 15, 2023 | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and | ||
| CVE-2023-30586 | — | < 20.3.1-r0 | 20.3.1-r0 | Jun 30, 2023 | A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can | ||
| CVE-2023-30589 | — | < 20.3.1-r0 | 20.3.1-r0 | Jun 30, 2023 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF |
- CVE-2023-30581Nov 22, 2023affected < 20.3.1-r0fixed 20.3.1-r0
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
- CVE-2023-39331Oct 18, 2023affected < 20.8.0-r0fixed 20.8.0-r0
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl
- CVE-2023-39332Oct 18, 2023affected < 20.8.0-r0fixed 20.8.0-r0
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004)
- CVE-2023-32558Sep 12, 2023affected < 20.5.1-r0fixed 20.5.1-r0
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an
- CVE-2023-32559Aug 24, 2023affected < 20.5.1-r0fixed 20.5.1-r0
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr
- CVE-2023-32002Aug 21, 2023affected < 20.5.1-r0fixed 20.5.1-r0
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note
- CVE-2023-32003Aug 15, 2023affected < 20.5.1-r0fixed 20.5.1-r0
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects
- CVE-2023-32004Aug 15, 2023affected < 20.5.1-r0fixed 20.5.1-r0
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects
- CVE-2023-32006Aug 15, 2023affected < 20.5.1-r0fixed 20.5.1-r0
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and
- CVE-2023-30586Jun 30, 2023affected < 20.3.1-r0fixed 20.3.1-r0
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can
- CVE-2023-30589Jun 30, 2023affected < 20.3.1-r0fixed 20.3.1-r0
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF
Page 2 of 2