Lucene search

K
cvelistHackeroneCVELIST:CVE-2023-38552
HistoryOct 18, 2023 - 3:55 a.m.

CVE-2023-38552

2023-10-1803:55:18
hackerone
www.cve.org
1
node.js
forged checksum
vulnerability
experimental policy
users
integrity check
cve-2023-38552

7.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.7%

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the nodeโ€™s policy implementation, thus effectively disabling the integrity check.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "Node.js",
    "versions": [
      {
        "version": "20.8.0",
        "status": "affected",
        "lessThanOrEqual": "20.8.0",
        "versionType": "semver"
      },
      {
        "version": "18.18.1",
        "status": "affected",
        "lessThanOrEqual": "18.18.1",
        "versionType": "semver"
      }
    ]
  }
]