SB2023092674 - Anolis OS update for noslate-anode
Published: September 26, 2023 Updated: March 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30582)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error within the experimental permission model when the --allow-fs-read flag is used with a non-* argument. An inadequate permission model fails to restrict file watching through the fs.watchFile API and result in an ability of a remote user to monitor files that they do not have explicit read access to.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30583)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to a missing check in the fs.openAsBlob() API. A remote user leverage fs.openAsBlob() to bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag.
3) Path traversal (CVE-ID: CVE-2023-30584)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error within the experimental permission model when verifying file permissions. A remote user can send a specially crafted request and read arbitrary files on the system.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30586)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to application allows loading arbitrary OpenSSL engines when the experimental permission model is enabled. A remote user can use the crypto.setEngine() API to bypass the permission model when called with a compatible OpenSSL engine and disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory.
5) Improper access control (CVE-ID: CVE-2023-30587)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can exploit the Worker class's ability to create an "internal worker" with the kIsInternal Symbol to bypass restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).
6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-30589)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in the llhttp parser. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32002)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32006)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32559)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
Remediation
Install update from vendor's website.