Fedora 39 : nodejs20 (2023-7b52921cae)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-7b52921cae advisory. 2023-10-13, Version 20.8.1 Current, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...

Fedora 37 : nodejs20 (2023-f66fc0f62a)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-f66fc0f62a advisory. 2023-10-13, Version 20.8.1 Current, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...

Internet Bug Bounty: Permission model improperly protects against path traversal in Node.js 20

A path traversal vulnerability was introduced in Node.js 20 due to insufficient patching of CVE-2023-30584. The vulnerability arises because the permission model implementation does not protect itself against the application overwriting built-in utility functions like path.resolve with user-defin...

K000137330: Node.JS vulnerabilities CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, and CVE-2023-3933

Security Advisory Description CVE-2023-38552 When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check...

CVE-2023-39332 vulnerabilities

Vulnerabilities for packages: nodejs...

Internet Bug Bounty: Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587)

A vulnerability in the experimental permissions policy mechanism in Node.js was reported. The use of Module.load could bypass the policy and require unauthorized modules. This affected all active release lines. The vulnerability was reported by a researcher and fixed by the Node.js security team...

CVE-2023-32558

The use of the deprecated API process.binding can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of...

CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result...

CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result...

Path traversal

The use of the deprecated API process.binding can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of...

CVE-2023-32005

CVE-2023-32005 affects Node.js 20 when using the experimental permission model. The issue stems from an inadequate permission model that fails to restrict file stats via fs.statfs, allowing a user with --allow-fs-read and a non-* path to retrieve stats on files they do not have read access to. Af...

SUSE SLES15 / openSUSE 15 Security Update : nodejs16 (SUSE-SU-2023:3379-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3379-1 advisory. - The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition fo...

CVE-2023-32004

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using th...

CVE-2023-32003

fs.mkdtemp and fs.mkdtempSync can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the...

Path traversal

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using th...

Path traversal

fs.mkdtemp and fs.mkdtempSync can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the...

CVE-2023-32003

fs.mkdtemp and fs.mkdtempSync can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the...

CVE-2023-32004

CVE-2023-32004 concerns Node.js 20, specifically its experimental permission model. Available sources describe a vulnerability in the file-system APIs where improper handling of Buffers can cause a traversal path to bypass file permission checks. The issue affects users operating under the experi...

PT-2023-9603 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js versions 20.x Description: The use of the deprecated API process.binding can bypass the permission model through path traversal, potentially allowing a remote attacker to bypass security restrictions and gain unauthorized access to...

CVE-2023-30586

CVE-2023-30586: Privilege escalation in Node.js 20 when the experimental permission model is enabled. An OpenSSL engine loaded via crypto.setEngine() can bypass or disable the permission model by manipulating host process memory (e.g., locating Permission::enabled_ on the heap). Affected: Node.js...