=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN403

_____________________________________________________________________

DATE                : 16/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Node.js versions prior to 20.8.1,
                                       18.18.2 (LTS).

=====================================================================
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
_____________________________________________________________________


Friday October 13 2023 Security Releases
By Rafael Gonzaga, 13 Oct 2023
(Update 13-October-2023) Security releases available

Updates are now available for the v18.x and v20.x Node.js release
lines for the following issues.


undici - Cookie headers are not cleared in cross-domain redirect in
undici-fetch (High) - (CVE-2023-45143)

Undici did not always clear Cookie headers on cross-origin redirects.
By design, cookie headers are forbidden request headers, disallowing
them to be set in RequestInit.headers in browser environments. Since
undici handles headers more liberally than the spec, there was a
disconnect from the assumptions the spec made, and undici's
implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party
site or a malicious attacker who can control the redirection target
(ie. an open redirector) to leak the cookie to the 3rd party site.

More details area available in GHSA-wqq4-5wpv-mx2g


nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)

Rapidly creating and cancelling streams (HEADERS frame immediately
followed by RST_STREAM) without bound causes denial of service. See
https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Impacts:

     This vulnerability affects all users of HTTP/2 servers in all
active release lines 18.x and 20.x.


Permission model improperly protects against path traversal (High) -
(CVE-2023-39331)

A previously disclosed vulnerability (CVE-2023-30584) was patched
insufficiently. The new path traversal vulnerability arises because
the implementation does not protect itself against the application
overwriting built-in utility functions with user-defined implementations.

Impacts:

     This vulnerability affects all users using the experimental
permission model in Node.js 20.x.

Please note that at the time this CVE is issued, the permission model
is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.


Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)

Various node:fs functions allow specifying paths as either strings or
Uint8Array objects. In Node.js environments, the Buffer class extends
the Uint8Array class. Node.js prevents path traversal through strings
(see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not
through non-Buffer Uint8Array objects.

This is distinct from CVE-2023-32004 (report 2038134), which only
referred to Buffer objects. However, the vulnerability follows the
same pattern using Uint8Array instead of Buffer.

Impacts:

     This vulnerability affects all users using the experimental
permission model in Node.js 20.x.

Please note that at the time this CVE is issued, the permission model
is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.


Integrity checks according to policies can be circumvented (Medium) -
(CVE-2023-38552)

When the Node.js policy feature checks the integrity of a resource
against a trusted manifest, the application can intercept the
operation and return a forged checksum to node's policy implementation,
thus effectively disabling the integrity check.

Impacts:

     This vulnerability affects all users using the experimental
policy mechanism in all active release lines: 18.x and, 20.x.

Please note that at the time this CVE is issued, the policy mechanism
is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.


Code injection via WebAssembly export names (Low) - (CVE-2023-39333)

Maliciously crafted export names in an imported WebAssembly module can
inject JavaScript code. The injected code may be able to access data
and functions that the WebAssembly module itself does not have access
to, similar to as if the WebAssembly module was a JavaScript module.

Impacts:

     This vulnerability affects users of the --experimental-wasm-modules
command line option in all active release lines 18.x and 20.x.

Thanks to dittyroma for reporting the issue and to Tobias Nießen for
fixing it.


Downloads and release details

     Node.js v20.8.1 (Current)
     Node.js v18.18.2 (LTS)



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================