Opened 15 months ago
Closed 15 months ago
#17669 closed defect (fixed)
node.js v18.14.1
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | elevated | Milestone: | 11.3 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
This contains fixes for the following five vulnerabilities, in addition to shipping updated OpenSSL (that part should not affect us since we use system OpenSSL):
CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
Fixed in 9624ef9d8deff3ec241e4e78e21f35a103dd4f7c 11.2-1219
Security Advisory to follow on Friday.