Lucene search

K
nvd[email protected]NVD:CVE-2023-30581
HistoryNov 23, 2023 - 12:15 a.m.

CVE-2023-30581

2023-11-2300:15:07
web.nvd.nist.gov
5
node.js
security bypass
cve-2023-30581
experimental feature
policy mechanism
module requiring

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.8%

The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Affected configurations

Nvd
Node
nodejsnode.jsRange16.0.016.20.1-
OR
nodejsnode.jsRange18.0.018.16.1-
OR
nodejsnode.jsRange20.0.020.3.1-

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.8%