#VU77595 Improper access control in Node.js - CVE-2023-30587


Vulnerability identifier: #VU77595

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-30587

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can exploit the Worker class's ability to create an "internal worker" with the kIsInternal Symbol to bypass restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 20.0.0, 20.1.0, 20.2.0, 20.3.0

External links
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Node.js
Multiple vulnerabilities in IBM Spectrum Control
Multiple vulnerabilities in IBM Spectrum Symphony
Multiple vulnerabilities in IBM Watson Discovery Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Business Automation Workflow
Anolis OS update for noslate-anode
Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration
Multiple vulnerabilities in Oracle Solaris third-party software
Multiple vulnerabilities in IBM Voice Gateway
Multiple vulnerabilities in Node.js