CVE-2023-39332 - OpenCVE

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Nodejs	Node.js
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
nodejs:20-8090020231019152822.a75119d5	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:7205	2023-11-14T00:00:00Z

References

Link	Providers
https://hackerone.com/reports/2199818
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
https://nvd.nist.gov/vuln/detail/CVE-2023-39332
https://security.netapp.com/advisory/ntap-20231116-0009/
https://www.cve.org/CVERecord?id=CVE-2023-39332

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2023-10-18T03:55:18.469Z

Updated: 2024-09-13T14:54:53.063Z

Reserved: 2023-07-28T01:00:12.349Z

Link: CVE-2023-39332

Vulnrichment

Updated: 2024-08-02T18:02:06.901Z

NVD

Status : Analyzed

Published: 2023-10-18T04:15:11.330

Modified: 2023-11-17T19:08:58.170

Link: CVE-2023-39332

Redhat

Severity : Important

Publid Date: 2023-10-13T00:00:00Z

Links: CVE-2023-39332 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39332", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-07-28T01:00:12.349Z", "datePublished": "2023-10-18T03:55:18.469Z", "dateUpdated": "2024-09-13T14:54:53.063Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.\r\n\r\nThis is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.\r\n\r\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js."}], "affected": [{"vendor": "Node.js", "product": "Node.js", "versions": [{"version": "20.8.0", "status": "affected", "lessThanOrEqual": "20.8.0", "versionType": "semver"}, {"version": "20.0.0", "status": "unaffected", "lessThan": "20.0.0", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/2199818"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"}, {"url": "https://security.netapp.com/advisory/ntap-20231116-0009/"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-11-03T18:13:19.935Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.901Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2199818", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231116-0009/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-13T14:54:41.045769Z", "id": "CVE-2023-39332", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T14:54:53.063Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2199818", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231116-0009/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.901Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39332", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-13T14:54:41.045769Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T14:54:48.797Z"}}], "cna": {"affected": [{"vendor": "Node.js", "product": "Node.js", "versions": [{"status": "affected", "version": "20.8.0", "versionType": "semver", "lessThanOrEqual": "20.8.0"}, {"status": "unaffected", "version": "20.0.0", "lessThan": "20.0.0", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/2199818"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"}, {"url": "https://security.netapp.com/advisory/ntap-20231116-0009/"}], "descriptions": [{"lang": "en", "value": "Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.\r\n\r\nThis is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.\r\n\r\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-11-03T18:13:19.935Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39332", "state": "PUBLISHED", "dateUpdated": "2024-09-13T14:54:53.063Z", "dateReserved": "2023-07-28T01:00:12.349Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2023-10-18T03:55:18.469Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "6BD3775B-9921-452D-ACF2-626A96B781F0", "versionEndExcluding": "20.8.0", "versionStartIncluding": "20.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.\r\n\r\nThis is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.\r\n\r\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js."}, {"lang": "es", "value": "Varias funciones `node:fs` permiten especificar rutas como cadenas u objetos `Uint8Array`. En entornos Node.js, la clase `Buffer` extiende la clase `Uint8Array`. Node.js evita el path traversal a trav\u00e9s de cadenas (ver CVE-2023-30584) y objetos `Buffer` (ver CVE-2023-32004), pero no a trav\u00e9s de objetos `Uint8Array` que no son `Buffer`. Esto es distinto de CVE-2023-32004, que solo se refer\u00eda a objetos \"Buffer\". Sin embargo, la vulnerabilidad sigue el mismo patr\u00f3n al usar \"Uint8Array\" en lugar de \"Buffer\". Tenga en cuenta que en el momento en que se emiti\u00f3 este CVE, el modelo de permiso es una caracter\u00edstica experimental de Node.js."}], "id": "CVE-2023-39332", "lastModified": "2023-11-17T19:08:58.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-18T04:15:11.330", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/2199818"}, {"source": "support@hackerone.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231116-0009/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7205", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8090020231019152822.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}], "bugzilla": {"description": "nodejs: path traversal through path stored in Uint8Array", "id": "2244414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2244414"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.\nThis is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects."], "name": "CVE-2023-39332", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2023-10-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39332\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39332"], "threat_severity": "Important"}