CVE-2023-38552
nodejs: integrity checks according to policies can be circumvented
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Cuando la función de política de Node.js verifica la integridad de un recurso con un manifiesto confiable, la aplicación puede interceptar la operación y devolver una suma de verificación falsificada a la implementación de la política del nodo, deshabilitando así efectivamente la verificación de integridad. Impactos: esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de política experimental en todas las líneas de versiones activas: 18.x y 20.x. Tenga en cuenta que en el momento en que se emitió este CVE, el mecanismo de política era una característica experimental de Node.js.
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-07-20 CVE Reserved
- 2023-10-18 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-354: Improper Validation of Integrity Check Value
CAPEC
References (10)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-38552 | 2023-11-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2244415 | 2023-11-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 18.0.0 <= 18.18.1 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 <= 18.18.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 20.1.0 <= 20.8.0 Search vendor "Nodejs" for product "Node.js" and version " >= 20.1.0 <= 20.8.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 39 Search vendor "Fedoraproject" for product "Fedora" and version "39" | - |
Affected
| ||||||