ALAS2023-2023-304 --- nodejsID: oval:org.secpod.oval:def:19500344 | Date: (C)2024-01-04 (M)2024-02-19 |
Class: PATCH | Family: unix |
The use of Module._load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.Impacts:This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.Impacts:This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding run arbitrary code, outside of the limits defined in a policy.json file.Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.ImpactsThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x
Platform: |
Amazon Linux 2023 |
Product: |
nodejs |
v8-devel |
npm |