// For flags

CVE-2023-32005

 

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Se ha identificado una vulnerabilidad en la versión 20 de Node.js, que afecta a los usuarios del modelo de permisos experimental cuando se utiliza el indicador --allow-fs-read con un argumento "non-*". Esta falla surge de un modelo de permisos inadecuado que no logra restringir las estadísticas de archivos a través de la API `fs.statfs`. Como resultado, los actores maliciosos pueden recuperar estadísticas de archivos a los que no tienen acceso de lectura explícito. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20. Tenga en cuenta que en el momento en que se emitió este CVE, el modelo de permiso es una característica experimental de Node.js.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-05-01 CVE Reserved
  • 2023-09-12 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-09-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (2)
URL Tag Source
https://security.netapp.com/advisory/ntap-20231103-0004 Third Party Advisory
URL Date SRC
https://hackerone.com/reports/2051224 2024-08-02
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 20.0.0 < 20.5.1
Search vendor "Nodejs" for product "Node.js" and version " >= 20.0.0 < 20.5.1"
-
Affected