corepack20-20.5.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13117-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack20-20.5.1-1.1 on GA media These are all security issues fixed in the corepack20-20.5.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13117 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-32002/ SUSE CVE CVE-2023-32002 page https://www.suse.com/security/cve/CVE-2023-32003/ SUSE CVE CVE-2023-32003 page https://www.suse.com/security/cve/CVE-2023-32004/ SUSE CVE CVE-2023-32004 page https://www.suse.com/security/cve/CVE-2023-32005/ SUSE CVE CVE-2023-32005 page https://www.suse.com/security/cve/CVE-2023-32006/ SUSE CVE CVE-2023-32006 page https://www.suse.com/security/cve/CVE-2023-32558/ SUSE CVE CVE-2023-32558 page https://www.suse.com/security/cve/CVE-2023-32559/ SUSE CVE CVE-2023-32559 page openSUSE Tumbleweed corepack20-20.5.1-1.1 nodejs20-20.5.1-1.1 nodejs20-devel-20.5.1-1.1 nodejs20-docs-20.5.1-1.1 npm20-20.5.1-1.1 corepack20-20.5.1-1.1 as a component of openSUSE Tumbleweed nodejs20-20.5.1-1.1 as a component of openSUSE Tumbleweed nodejs20-devel-20.5.1-1.1 as a component of openSUSE Tumbleweed nodejs20-docs-20.5.1-1.1 as a component of openSUSE Tumbleweed npm20-20.5.1-1.1 as a component of openSUSE Tumbleweed The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32002 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32002.html CVE-2023-32002 https://bugzilla.suse.com/1214150 SUSE Bug 1214150 `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2023-32003 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32003.html CVE-2023-32003 https://bugzilla.suse.com/1214151 SUSE Bug 1214151 A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2023-32004 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32004.html CVE-2023-32004 https://bugzilla.suse.com/1214152 SUSE Bug 1214152 https://bugzilla.suse.com/1216271 SUSE Bug 1216271 A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2023-32005 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32005.html CVE-2023-32005 https://bugzilla.suse.com/1214153 SUSE Bug 1214153 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32006 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32006.html CVE-2023-32006 https://bugzilla.suse.com/1214156 SUSE Bug 1214156 The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2023-32558 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32558.html CVE-2023-32558 https://bugzilla.suse.com/1214155 SUSE Bug 1214155 A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32559 openSUSE Tumbleweed:corepack20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.5.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.5.1-1.1 openSUSE Tumbleweed:npm20-20.5.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32559.html CVE-2023-32559 https://bugzilla.suse.com/1214154 SUSE Bug 1214154