The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3379-1 advisory.

  - The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json     definition for a given module. This vulnerability affects all users using the experimental policy     mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js. (CVE-2023-32002)

  - The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules     outside of the policy.json definition for a given module. This vulnerability affects all users using the     experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the     time this CVE was issued, the policy is an experimental feature of Node.js. (CVE-2023-32006)

  - https://nodejs.org/en/blog/vulnerability/august-2023-security-releases  Security releases available     Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues.
    Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002) The use of Module._load() can     bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
    Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of     Node.js.  Impacts:  This vulnerability affects all users using the experimental policy mechanism in all     active release lines: 16.x, 18.x and, 20.x. Thank you, to mattaustin for reporting this vulnerability and     thank you Rafael Gonzaga and Bradley Farias for fixing it.  Permission model bypass by specifying a path     traversal sequence in a Buffer (HIGH)(CVE-2023-32004) A vulnerability has been discovered in Node.js     version 20, specifically within the experimental permission model. This flaw relates to improper handling     of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.  Please     note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
    Impacts:  This vulnerability affects all users using the experimental permission model in Node.js 20.
    Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
    process.binding() can bypass the permission model through path traversal (HIGH)(CVE-2023-32558) The use of     the deprecated API process.binding() can bypass the permission model through path traversal.  Please note     that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
    Impacts:  This vulnerability affects all users using the experimental permission model in Node.js 20.
    Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.  Permissions policies can     impersonate other modules in using module.constructor.createRequire() (MEDIUM)(CVE-2023-32006) The use of     module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the     policy.json definition for a given module.  Please note that at the time this CVE was issued, the policy     mechanism is an experimental feature of Node.js.  Impacts:  This vulnerability affects all users using the     experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Thank you, to Axel Chong     for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.
    Permissions policies can be bypassed via process.binding (MEDIUM)(CVE-2023-32559) The use of the     deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and     eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits     defined in a policy.json file.  Please note that at the time this CVE was issued, the policy is an     experimental feature of Node.js.  Impacts  This vulnerability affects all users using the experimental     policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Thank you, to LeoDog896 for reporting     this vulnerability and thank you Tobias Nieen for fixing it.  fs.statfs can retrive stats from files     restricted by the Permission Model (LOW)(CVE-2023-32005) A vulnerability has been identified in Node.js     version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used     with a non-* argument.  This flaw arises from an inadequate permission model that fails to restrict file     stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do     not have explicit read access to.  Please note that at the time this CVE was issued, the permission model     is an experimental feature of Node.js.  Impacts:  This vulnerability affects all users using the     experimental permission model in Node.js 20. Thank you to Rafael Gonzaga for reporting and fixing this     vulnerability.  fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks     (LOW)(CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check     using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the     impact is a malicious actor could create an arbitrary directory.  Please note that at the time this CVE     was issued, the permission model is an experimental feature of Node.js.  Impacts:  This vulnerability     affects all users using the experimental permission model in Node.js 20. Thank you, to Axel Chong for     reporting this vulnerability and thank you Rafael Gonzaga for fixing it.  Downloads and release details     Node.js v16.20.2 (LTS) Node.js v18.17.1 (LTS) Node.js v20.5.1 (Current) (Update 08-Aug-2023) Security     Release target August 9th The Node.js Security Releases will be available on, or shortly after, Wednesday,     August 9th, 2023.  Summary The Node.js project will release new versions of the 16.x, 18.x and 20.x     releases lines on or shortly after, Tuesday August 8th 2023 in order to address:  3 high severity issues.
    2 medium severity issues. 2 low severity issues. OpenSSL Security updates This security release includes     the following OpenSSL security updates  OpenSSL security advisory 14th July. OpenSSL security advisory     19th July. OpenSSL security advisory 31st July. Impact The 20.x release line of Node.js is vulnerable to 3     high severity issues, 2 medium severity issues, and 2 low severity issues.  The 18.x release line of     Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.  The 16.x release line of     Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues. (CVE-2023-32559)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLES15 / openSUSE 15 Security Update : nodejs16 (SUSE-SU-2023:3379-1)

critical Nessus Plugin ID 180043

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.4 Sep 26, 2023, 8:16 PM CVSS metrics ("CVSSv2 score" changed from 7.5 to 10.0. "CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P" to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSSv2 score source (changed from "CVE-2023-32559" to "CVE-2023-32002") CVSSv3 score source (set to "CVE-2023-32002") Plugin Feed: 202309262016
Version 1.3 Sep 18, 2023, 4:18 PM CVSS metrics ("CVSSv2 score" changed from 10.0 to 7.5. "CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C" to "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P") Plugin Feed: 202309181618
Version 1.2 Sep 4, 2023, 4:15 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv2 score source (changed from "CVE-2023-32002" to "CVE-2023-32559") CVSSv3 score source (set to "CVE-2023-32559") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202309041615
Version 1.1 Aug 25, 2023, 4:05 PM CVSS metrics ("CVSSv2 score" changed from 9.0 to 10.0. "CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C" to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C". "CVSSv3 score" changed from 8.8 to 9.8. "CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSSv2 score source (changed from "CVE-2023-32006" to "CVE-2023-32002") CVSSv3 score source (set to "CVE-2023-32002") Plugin Feed: 202308251605
Version 1.0 Aug 23, 2023, 8:04 AM New Plugin Feed: 202308230804