CVE-2023-23918

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23918
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23918.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-23918
Aliases
Related
Published
2023-02-23T20:15:13Z
Modified
2024-09-11T04:59:38.096039Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

References

Affected packages

Alpine:v3.14 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
14.21.3-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.18.1-r0
14.19.0-r0
14.20.0-r0
14.20.1-r0

Alpine:v3.15 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.19.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.2-r0
16.14.0-r0
16.14.2-r0
16.16.0-r0
16.17.1-r0

Alpine:v3.16 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.19.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.1-r1
16.13.2-r0
16.13.2-r1
16.14.2-r0
16.14.2-r1
16.15.0-r0
16.15.0-r1
16.16.0-r0
16.17.1-r0

Alpine:v3.17 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.14.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.1-r1
16.13.2-r0
16.13.2-r1
16.14.2-r0
16.14.2-r1
16.15.0-r0
16.15.0-r1
16.16.0-r0
16.16.0-r1
16.17.0-r0
16.17.1-r0
16.18.0-r0
16.18.0-r1

18.*

18.12.0-r0
18.12.1-r0

Alpine:v3.18 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.14.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.1-r1
16.13.2-r0
16.13.2-r1
16.14.2-r0
16.14.2-r1
16.15.0-r0
16.15.0-r1
16.16.0-r0
16.16.0-r1
16.17.0-r0
16.17.1-r0
16.18.0-r0
16.18.0-r1

18.*

18.12.0-r0
18.12.1-r0
18.13.0-r0
18.14.0-r0

Alpine:v3.19 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.14.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.1-r1
16.13.2-r0
16.13.2-r1
16.14.2-r0
16.14.2-r1
16.15.0-r0
16.15.0-r1
16.16.0-r0
16.16.0-r1
16.17.0-r0
16.17.1-r0
16.18.0-r0
16.18.0-r1

18.*

18.12.0-r0
18.12.1-r0
18.13.0-r0
18.14.0-r0

Alpine:v3.20 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.14.1-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0
8.11.0-r0
8.11.0-r1
8.11.1-r0
8.11.1-r1
8.11.1-r2
8.11.2-r0
8.11.3-r0
8.11.3-r1
8.11.3-r2
8.11.3-r3
8.11.4-r0
8.12.0-r0

10.*

10.13.0-r0
10.14.0-r0
10.14.1-r0
10.14.2-r0
10.15.1-r0
10.15.3-r0
10.16.0-r0
10.16.1-r0
10.16.2-r0
10.16.3-r0

12.*

12.13.0-r0
12.13.0-r1
12.13.1-r0
12.14.0-r0
12.14.1-r0
12.15.0-r0
12.15.0-r1
12.15.0-r2
12.16.2-r0
12.16.3-r0
12.16.3-r1
12.17.0-r0
12.18.0-r0
12.18.0-r1
12.18.0-r2
12.18.2-r0
12.18.3-r0
12.18.4-r0
12.19.0-r0

14.*

14.15.1-r0
14.15.3-r0
14.15.3-r1
14.15.3-r2
14.15.4-r0
14.15.5-r0
14.16.0-r0
14.16.0-r1
14.16.1-r0
14.16.1-r1
14.16.1-r2
14.17.0-r0
14.17.1-r0
14.17.2-r0
14.17.3-r0
14.17.4-r0
14.17.5-r0
14.17.6-r0
14.17.6-r1
14.18.0-r0
14.18.1-r0
14.18.1-r1

16.*

16.13.0-r0
16.13.1-r0
16.13.1-r1
16.13.2-r0
16.13.2-r1
16.14.2-r0
16.14.2-r1
16.15.0-r0
16.15.0-r1
16.16.0-r0
16.16.0-r1
16.17.0-r0
16.17.1-r0
16.18.0-r0
16.18.0-r1

18.*

18.12.0-r0
18.12.1-r0
18.13.0-r0
18.14.0-r0

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.19.0+dfsg-6~deb12u1

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.19.0+dfsg-2

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
cc993fb2760d01457955f5b9ff787d559ed1c34e
Fixed
a9d1e5059f9cc63cafc8e786a7b6332aa7ab3b2b

Affected versions

v19.*

v19.0.0
v19.0.1
v19.1.0
v19.2.0
v19.3.0
v19.4.0
v19.5.0
v19.6.0