PRISMA-2023-0054 is asking to use Node.js 20 while it's not LTS

[akirafujiu]

Version

v18.17.0

Platform

Darwin AkiranoMacBook-Pro.local 21.6.0 Darwin Kernel Version 21.6.0: Thu Jul 6 22:18:26 PDT 2023; root:xnu-8020.240.18.702.13~1/RELEASE_X86_64 x86_64

Subsystem

No response

What steps will reproduce the bug?

I believe this is not the bug for Node.js itself and this vulnerability should be there only when we use some experimental flag against Node.js 19 or something as runtime args

Security scan bot - Twistlock reported Node.js v18.17.0 is vulnerable due to following. But Node.js v20 is not LTS, so I believe we should not use them in production..

CVE: PRISMA-2023-0054
severity: M
Link: #47105
hasFix: Y
Status: fixed in 20.0.0
Description:
nodejs before 20.0.0 is vulnerable to authentication bypass. process.permission.deny() does not verify if given paths are case-sensitive or not, and thus by supplying a differently capitalized path on an OS that supports non-case-sensitive paths, the only way to properly deny a path is to deny every capitalization of said path. cvss vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

This CVE should not be given to the latest LTS.

What do you see instead?

N/A

Additional information

No response

[targos]

I don't know what PRISMA-2023-0054 refers to, nor what is a CVE id starting with PRISMA-, but the report you got from them doesn't make sense. The permission model and process.permission do not exist in releases before v20.0.0.

[BethGriggs]

I think @RafaelGSS has had another report of this too.

I found this when searching:

PRISMA-* IDs
You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open-source vulnerabilities, our team identifies vulnerabilities you need to be aware of and assigns PRISMA IDs to them whenever applicable.

For example, let’s review "PRISMA-2021-0020". A user found a bug in the Python package and opened an issue through its open-source repository on GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier and analyzed the correct range of affected releases. Affected customers were alerted to this vulnerability despite the lack of any public vulnerability identifier. If a CVE is ever assigned to the same vulnerability that has a Prisma ID, the CVE takes over and the PRISMA ID entry is fully replaced. Read more about the correlation between PRISMA IDs and CVEs in this blog post.

I looked to see if there was a way we could report or update the invalid information (indicating that Node.js 18 is vulnerable when it doesn't contain the feature), but I couldn't find a way to do so. Perhaps an option might be for a Prisma Cloud customer open a ticket to report it on our behalf?

[mhdawson]

@akirafujiu if your company is a customer of Twistlock the best way forward as @BethGriggs is probably to open a customer ticket asking that they fix the erroneous problem report that they have created. If you need any help in convincing them that the issue does not apply to Node.js 20.x let us know.

Can you do that?

[RafaelGSS]

FWIW process.permission.deny was never released in any version of Node.js.

[akirafujiu]

@mhdawson FYI @BethGriggs Yes, IBM is a customer of Twistlock to scan docker images etc. I have opened a support ticket to Prisma cloud through internal tools, and used this issue as evidence. I don't think them good to have invalid label of this issue and to be closed. could you please reopen this issue and remove that label until above CVE itself from Prisma cloud gets invalid?

@RafaelGSS Thank you for your clarification.

[akirafujiu]

Now Twistlock marked this CVE as invalid. Thanks for all!

[BethGriggs]

Great, thank you for raising the ticket @akirafujiu