Lucene search

K
cve[email protected]CVE-2023-32002
HistoryAug 21, 2023 - 5:15 p.m.

CVE-2023-32002

2023-08-2117:15:47
web.nvd.nist.gov
377
cve-2023-32002
node.js
security vulnerability
policy mechanism
experimental feature
nvd
module bypass

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.1%

The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Affected configurations

NVD
Node
nodejsnode.jsRange16.0.0โ€“16.20.1
OR
nodejsnode.jsRange18.0.0โ€“18.17.0
OR
nodejsnode.jsRange20.0.0โ€“20.5.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "Node.js",
    "versions": [
      {
        "version": "20.5.0",
        "status": "affected",
        "lessThanOrEqual": "20.5.0",
        "versionType": "semver"
      },
      {
        "version": "18.17.0",
        "status": "affected",
        "lessThanOrEqual": "18.17.0",
        "versionType": "semver"
      },
      {
        "version": "16.20.1",
        "status": "affected",
        "lessThanOrEqual": "16.20.1",
        "versionType": "semver"
      }
    ]
  }
]

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.1%