Read Time:3 Second
OPSWAT presented the findings is its latest Threat Intelligence Survey
Monthly Archives: August 2023
USN-6282-1: Velocity Tools vulnerability
Read Time:12 Second
Jackson Henry discovered that Velocity Tools incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to execute
arbitrary code.
java-1.8.0-openjdk-1.8.0.382.b05-2.fc38
Read Time:11 Second
FEDORA-2023-b3384af468
Packages in this update:
java-1.8.0-openjdk-1.8.0.382.b05-2.fc38
Update description:
respin of security cpu due to uninstallable sources subpkg
updatet to july security update 382.b05
java-1.8.0-openjdk-1.8.0.382.b05-2.fc37
Read Time:11 Second
FEDORA-2023-a2922bf669
Packages in this update:
java-1.8.0-openjdk-1.8.0.382.b05-2.fc37
Update description:
respin of security cpu due to uninstallable sources subpkg
updatet to july security update 382.b05
nodejs16-16.20.2-1.fc37 nodejs18-18.17.1-1.fc37 nodejs20-20.5.1-1.fc37
Read Time:4 Minute, 51 Second
FEDORA-2023-18476abd7e
Packages in this update:
nodejs16-16.20.2-1.fc37
nodejs18-18.17.1-1.fc37
nodejs20-20.5.1-1.fc37
Update description:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases
Security releases available
Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues.
Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002)
The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to mattaustin for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.
Permission model bypass by specifying a path traversal sequence in a Buffer (HIGH)(CVE-2023-32004)
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
process.binding() can bypass the permission model through path traversal (HIGH)(CVE-2023-32558)
The use of the deprecated API process.binding() can bypass the permission model through path traversal.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.
Permissions policies can impersonate other modules in using module.constructor.createRequire() (MEDIUM)(CVE-2023-32006)
The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.
Permissions policies can be bypassed via process.binding (MEDIUM)(CVE-2023-32559)
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding(‘spawn_sync’) run arbitrary code, outside of the limits defined in a policy.json file.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Impacts
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to LeoDog896 for reporting this vulnerability and thank you Tobias Nießen for fixing it.
fs.statfs can retrive stats from files restricted by the Permission Model (LOW)(CVE-2023-32005)
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the –allow-fs-read flag is used with a non-* argument.
This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.
fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (LOW)(CVE-2023-32003)
fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
Downloads and release details
Node.js v16.20.2 (LTS)
Node.js v18.17.1 (LTS)
Node.js v20.5.1 (Current)
(Update 08-Aug-2023) Security Release target August 9th
The Node.js Security Releases will be available on, or shortly after, Wednesday, August 9th, 2023.
Summary
The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address:
3 high severity issues.
2 medium severity issues.
2 low severity issues.
OpenSSL Security updates
This security release includes the following OpenSSL security updates
OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July.
Impact
The 20.x release line of Node.js is vulnerable to 3 high severity issues, 2 medium severity issues, and 2 low severity issues.
The 18.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.
The 16.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.
nodejs16-16.20.2-1.fc38 nodejs18-18.17.1-1.fc38 nodejs20-20.5.1-1.fc38
Read Time:4 Minute, 51 Second
FEDORA-2023-d12a917ab4
Packages in this update:
nodejs16-16.20.2-1.fc38
nodejs18-18.17.1-1.fc38
nodejs20-20.5.1-1.fc38
Update description:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases
Security releases available
Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues.
Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002)
The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to mattaustin for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.
Permission model bypass by specifying a path traversal sequence in a Buffer (HIGH)(CVE-2023-32004)
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
process.binding() can bypass the permission model through path traversal (HIGH)(CVE-2023-32558)
The use of the deprecated API process.binding() can bypass the permission model through path traversal.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.
Permissions policies can impersonate other modules in using module.constructor.createRequire() (MEDIUM)(CVE-2023-32006)
The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.
Permissions policies can be bypassed via process.binding (MEDIUM)(CVE-2023-32559)
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding(‘spawn_sync’) run arbitrary code, outside of the limits defined in a policy.json file.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Impacts
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to LeoDog896 for reporting this vulnerability and thank you Tobias Nießen for fixing it.
fs.statfs can retrive stats from files restricted by the Permission Model (LOW)(CVE-2023-32005)
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the –allow-fs-read flag is used with a non-* argument.
This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.
fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (LOW)(CVE-2023-32003)
fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts:
This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
Downloads and release details
Node.js v16.20.2 (LTS)
Node.js v18.17.1 (LTS)
Node.js v20.5.1 (Current)
(Update 08-Aug-2023) Security Release target August 9th
The Node.js Security Releases will be available on, or shortly after, Wednesday, August 9th, 2023.
Summary
The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address:
3 high severity issues.
2 medium severity issues.
2 low severity issues.
OpenSSL Security updates
This security release includes the following OpenSSL security updates
OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July.
Impact
The 20.x release line of Node.js is vulnerable to 3 high severity issues, 2 medium severity issues, and 2 low severity issues.
The 18.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.
The 16.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.
Potent Trojans Targeting MacOS Users
Read Time:5 Second
A new Bitdefender report finds that attackers are building more sophisticated malware creations tailored to macOS
10,000 N Ireland police officers and staff have their details exposed after spreadsheet screw-up
Read Time:9 Second
Earlier this week, the details of all 10,000 staff at the Police Service of Northern Ireland (PSNI) were exposed after a spreadsheet containing the data was mistakenly published online.
#BHUSA: DARPA Challenges AI Pros to Safeguard US Infrastructure
Read Time:6 Second
The new AI Cyber Challenge (AIxCC) is sponsored by DARPA, Google, Microsoft, OpenAI, Anthropic and the Open Source Security Foundation
#BHUSA: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus
Read Time:6 Second
The new APT is allegedly aligned with the Belarusian regime and has operated under the radar for at least nine years