Lucene search

Ubuntu.comUB:CVE-2023-23920

HistoryFeb 23, 2023 - 12:00 a.m.

CVE-2023-23920

2023-02-2300:00:00

ubuntu.com

4.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

1.3 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

MULTIPLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:M/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

13.3%

JSON

An untrusted search path vulnerability exists in Node.js. <19.6.1,
<18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and
potentially load ICU data when running with elevated privileges.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031834>

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchnodejs< 10.19.0~dfsg-3ubuntu1.5UNKNOWN
ubuntu22.04noarchnodejs< 12.22.9~dfsg-1ubuntu3.4UNKNOWN
ubuntu23.10noarchnodejs< 18.13.0+dfsg1-1ubuntu2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	nodejs	< 10.19.0~dfsg-3ubuntu1.5	UNKNOWN
ubuntu	22.04	noarch	nodejs	< 12.22.9~dfsg-1ubuntu3.4	UNKNOWN
ubuntu	23.10	noarch	nodejs	< 18.13.0+dfsg1-1ubuntu2.1	UNKNOWN

References

github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1

launchpad.net/bugs/cve/CVE-2023-23920

nodejs.org/en/blog/vulnerability/february-2023-security-releases/

nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920

nvd.nist.gov/vuln/detail/CVE-2023-23920

security-tracker.debian.org/tracker/CVE-2023-23920

ubuntu.com/security/notices/USN-6672-1

www.cve.org/CVERecord?id=CVE-2023-23920