CVE-2023-39333

EUVD-2023-43064

07.09.2024, 16:15

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.

This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
nodejs	nodejs	18.0 ≤ 𝑥 < 18.18.2	ADP
nodejs	nodejs	20.0 ≤ 𝑥 < 20.8.1	ADP

Debian Releases

Debian Product

Codename

nodejs

bookworm	18.19.0+dfsg-6~deb12u2 fixed
bookworm (security)	18.19.0+dfsg-6~deb12u1 fixed
bullseye	12.22.12~dfsg-1~deb11u4 not-affected
bullseye (security)	12.22.12~dfsg-1~deb11u5 fixed
buster	not-affected
sid	20.18.1+dfsg-1 fixed
trixie	20.18.1+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

nodejs

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

nodejs16

suse enterprise sap 15 SP4	16.20.2-150400.3.27.2 fixed
suse enterprise server 15 SP3	16.20.2-150300.7.30.1 fixed
suse enterprise server 15 SP4	16.20.2-150400.3.27.2 fixed

nodejs16-devel

suse enterprise sap 15 SP4	16.20.2-150400.3.27.2 fixed
suse enterprise server 15 SP3	16.20.2-150300.7.30.1 fixed
suse enterprise server 15 SP4	16.20.2-150400.3.27.2 fixed

nodejs16-docs

suse enterprise sap 15 SP4	16.20.2-150400.3.27.2 fixed
suse enterprise server 15 SP3	16.20.2-150300.7.30.1 fixed
suse enterprise server 15 SP4	16.20.2-150400.3.27.2 fixed

nodejs18

suse enterprise sap 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise sap 15 SP5	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP5	18.18.2-150400.9.15.1 fixed

nodejs18-devel

suse enterprise sap 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise sap 15 SP5	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP5	18.18.2-150400.9.15.1 fixed

nodejs18-docs

suse enterprise sap 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise sap 15 SP5	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP5	18.18.2-150400.9.15.1 fixed

npm16

suse enterprise sap 15 SP4	16.20.2-150400.3.27.2 fixed
suse enterprise server 15 SP3	16.20.2-150300.7.30.1 fixed
suse enterprise server 15 SP4	16.20.2-150400.3.27.2 fixed

npm18

suse enterprise sap 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise sap 15 SP5	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP4	18.18.2-150400.9.15.1 fixed
suse enterprise server 15 SP5	18.18.2-150400.9.15.1 fixed

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://nodejs.org/en/blog/vulnerability/october-2023-security-releases

https://security.netapp.com/advisory/ntap-20240808-0004/

https://security.netapp.com/advisory/ntap-20241004-0006/

https://security.netapp.com/advisory/ntap-20241108-0002/