CVE-2023-32005

EUVD-2023-36293

12.09.2023, 02:15

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
nodejs	node.js	20.0.0 ≤ 𝑥 < 20.5.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nodejs

bookworm	18.19.0+dfsg-6~deb12u2 fixed
bookworm (security)	18.19.0+dfsg-6~deb12u1 fixed
bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u5 fixed
sid	20.18.1+dfsg-1 fixed
trixie	20.18.1+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

nodejs

bionic	not-affected
focal	not-affected
jammy	not-affected
lunar	ignored
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://hackerone.com/reports/2051224

https://security.netapp.com/advisory/ntap-20231103-0004/

https://hackerone.com/reports/2051224

https://security.netapp.com/advisory/ntap-20231103-0004/