SUSE update for nodejs12
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU72398
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-23918
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions within the process.mainModule.require() method. A remote user can access non authorized modules.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU77586
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-30581
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to bypass the policy mechanism and require modules outside of the policy.json definition.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU77605
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-30589
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in the llhttp parser. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Inconsistency between implementation and documented design
EUVDB-ID: #VU77606
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-30590
CWE-ID:
CWE-1068 - Inconsistency Between Implementation and Documented Design
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to inconsistency between implementation and documented design within the generateKeys() API function. The documented behavior is different from the actual behavior, and this difference could lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79332
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-32002
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79334
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-32006
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79335
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-32559
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
Mitigation
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15: SP2 - SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.2
openSUSE Leap: 15.4
nodejs12-docs: before 12.22.12-150200.4.50.1
nodejs12: before 12.22.12-150200.4.50.1
nodejs12-debugsource: before 12.22.12-150200.4.50.1
npm12: before 12.22.12-150200.4.50.1
nodejs12-debuginfo: before 12.22.12-150200.4.50.1
nodejs12-devel: before 12.22.12-150200.4.50.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20233455-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
