#VU77596 Permissions, Privileges, and Access Controls in Node.js - CVE-2023-30582


Vulnerability identifier: #VU77596

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-30582

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error within the experimental permission model when the --allow-fs-read flag is used with a non-* argument. An inadequate permission model fails to restrict file watching through the fs.watchFile API and result in an ability of a remote user to monitor files that they do not have explicit read access to.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 20.0.0, 20.1.0, 20.2.0, 20.3.0

External links
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Node.js
Multiple vulnerabilities in IBM Spectrum Control
Multiple vulnerabilities in IBM Watson Discovery Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Business Automation Workflow
Anolis OS update for noslate-anode
Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration
Multiple vulnerabilities in Oracle Solaris third-party software
Multiple vulnerabilities in IBM Voice Gateway
Multiple vulnerabilities in Node.js