CVE-2023-32005

CWE-732 — Incorrect Permission Assignment CWE-12685 documents5 sources

Severity

5.3MEDIUM

EPSS

1.3%

top 20.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js

Timeline

PublishedSep 12

Latest updateSep 20

Description

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please no…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5nodejs/node4.0 — 4.*+14

▶NVDnodejs/node.js20.0.0 — 20.5.1

🔴Vulnerability Details

GHSA

GHSA-6hjf-ffg5-v8w7: A vulnerability has been identified in Node↗2023-09-20

▶

CVEList

CVE-2023-32005: A vulnerability has been identified in Node↗2023-09-12

▶

📋Vendor Advisories

Red Hat

nodejs: fs.statfs can retrive stats from files restricted by the Permission Model↗2023-08-09

▶

Debian

CVE-2023-32005: nodejs - A vulnerability has been identified in Node.js version 20, affecting users of th...↗2023

▶