Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-32558
HistorySep 12, 2023 - 12:00 a.m.

CVE-2023-32558

2023-09-1200:00:00
ubuntu.com
ubuntu.com
8
node.js
api
path traversal
permission model
experimental
vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.2%

The use of the deprecated API process.binding() can bypass the permission
model through path traversal. This vulnerability affects all users using
the experimental permission model in Node.js 20.x. Please note that at the
time this CVE was issued, the permission model is an experimental feature
of Node.js.

Notes

Author Note
sahnaseredini This vulnerability affects all users using the experimental permission model which was introduced in Node.js 20

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.2%