#VU77599 Permissions, Privileges, and Access Controls in Node.js - CVE-2023-30583

Cybersecurity Help s.r.o.

Published: 2023-06-21

Vulnerability identifier: #VU77599

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-30583

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to a missing check in the fs.openAsBlob() API. A remote user leverage fs.openAsBlob() to bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 20.0.0, 20.1.0, 20.2.0, 20.3.0

External links
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Node.js

Multiple vulnerabilities in IBM Spectrum Control

Multiple vulnerabilities in IBM Watson Discovery Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in IBM Business Automation Workflow

Anolis OS update for noslate-anode

Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration

Multiple vulnerabilities in Oracle Solaris third-party software

Multiple vulnerabilities in IBM Voice Gateway

Multiple vulnerabilities in Node.js