Ubuntu.comUB:CVE-2023-45311

HistoryOct 06, 2023 - 12:00 a.m.

CVE-2023-45311

2023-10-0600:00:00

ubuntu.com

cve-2023-45311

fsevents

dependency vulnerability

arbitrary code

javascript

adversary control

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.005

Percentile

76.1%

JSON

fsevents before 1.2.11 depends on the
https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow
an adversary to execute arbitrary code if any JavaScript project (that
depends on fsevents) distributes code that was obtained from that URL at a
time when it was controlled by an adversary. NOTE: some sources feel that
this means that no version is affected any longer, because the URL is not
controlled by an adversary.

Notes

Author	Note
ccdm94	qtwebengine-opensource-src and npm contain embedded copies of fsevents.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchnpm< anyUNKNOWN
ubuntu20.04noarchnpm< anyUNKNOWN
ubuntu22.04noarchnpm< anyUNKNOWN
ubuntu24.04noarchnpm< anyUNKNOWN
ubuntu14.04noarchnpm< anyUNKNOWN
ubuntu16.04noarchnpm< anyUNKNOWN
ubuntu18.04noarchqtwebengine-opensource-src< anyUNKNOWN
ubuntu20.04noarchqtwebengine-opensource-src< anyUNKNOWN
ubuntu22.04noarchqtwebengine-opensource-src< anyUNKNOWN
ubuntu24.04noarchqtwebengine-opensource-src< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	npm	< any	UNKNOWN
ubuntu	20.04	noarch	npm	< any	UNKNOWN
ubuntu	22.04	noarch	npm	< any	UNKNOWN
ubuntu	24.04	noarch	npm	< any	UNKNOWN
ubuntu	14.04	noarch	npm	< any	UNKNOWN
ubuntu	16.04	noarch	npm	< any	UNKNOWN
ubuntu	18.04	noarch	qtwebengine-opensource-src	< any	UNKNOWN
ubuntu	20.04	noarch	qtwebengine-opensource-src	< any	UNKNOWN
ubuntu	22.04	noarch	qtwebengine-opensource-src	< any	UNKNOWN
ubuntu	24.04	noarch	qtwebengine-opensource-src	< any	UNKNOWN

References

github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902

github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153

github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512

github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494

github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267

github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737

github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11

launchpad.net/bugs/cve/CVE-2023-45311

nvd.nist.gov/vuln/detail/CVE-2023-45311

security-tracker.debian.org/tracker/CVE-2023-45311

www.cve.org/CVERecord?id=CVE-2023-45311

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.005

Percentile

76.1%

JSON

Related for UB:CVE-2023-45311