CVE-2023-30586

NameCVE-2023-30586
DescriptionA privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2fixed
stretch4.8.2~dfsg-1fixed
buster (security), buster, buster (lts)10.24.0~dfsg-1~deb10u4fixed
bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u5fixed
bookworm18.19.0+dfsg-6~deb12u2fixed
bookworm (security)18.19.0+dfsg-6~deb12u1fixed
sid, trixie20.17.0+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)(not affected)

Notes

- nodejs <not-affected> (Vulnerable code introduced in 20.x)
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#openssl-engines-can-be-used-to-bypass-the-permission-model-medium-cve-2023-30586

Search for package or bug name: Reporting problems