CVE-2023-32559

2023-08-2402:15:09

[email protected]

web.nvd.nist.gov

2818

cve-2023-32559

node.js

privilege escalation

vulnerability

policy mechanism

deprecated api

process.binding()

policy.json

experimental feature

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

23.9%

JSON

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Affected configurations

NVD

Node

nodejsnode.jsRange16.0.0–16.20.1-

nodejsnode.jsRange18.0.0–18.17.0-

nodejsnode.jsRange20.0.0–20.5.0-

VendorProductVersionCPE
nodejsnode.jscpe:/a:nodejs:node.js:::-:

Vendor	Product	Version	CPE
nodejs	node.js		cpe:/a:nodejs:node.js:::-:

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "Node.js",
    "versions": [
      {
        "version": "20.5.0",
        "status": "affected",
        "lessThanOrEqual": "20.5.0",
        "versionType": "semver"
      },
      {
        "version": "18.17.0",
        "status": "affected",
        "lessThanOrEqual": "18.17.0",
        "versionType": "semver"
      },
      {
        "version": "16.20.1",
        "status": "affected",
        "lessThanOrEqual": "16.20.1",
        "versionType": "semver"
      }
    ]
  }
]