CVE-2023-30585

5 documents5 sources

Severity

7.5HIGH

EPSS

2.1%

top 15.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js

Timeline

PublishedNov 28

Description

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5nodejs/node4.0 — 4.*+16

▶NVDnodejs/node.js16.0.0 — 16.20.1+2

🔴Vulnerability Details

GHSA

GHSA-4r2r-cf85-vmc7: A vulnerability has been identified in the Node↗2023-11-28

▶

CVEList

CVE-2023-30585: A vulnerability has been identified in the Node↗2023-11-28

▶

📋Vendor Advisories

Red Hat

nodejs: privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process↗2023-06-20

▶

Debian

CVE-2023-30585: nodejs - A vulnerability has been identified in the Node.js (.msi version) installation p...↗2023

▶