Vulnerability Details CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.
Impacts:
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.1%
CVSS Severity
CVSS v3 Score 7.5
References
- https://hackerone.com/reports/2094235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
- https://security.netapp.com/advisory/ntap-20231116-0013/
- https://hackerone.com/reports/2094235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
- https://security.netapp.com/advisory/ntap-20231116-0013/
Products affected by CVE-2023-38552
-
cpe:2.3:a:nodejs:node.js:18.0.0
-
cpe:2.3:a:nodejs:node.js:18.0.1
-
cpe:2.3:a:nodejs:node.js:18.0.2
-
cpe:2.3:a:nodejs:node.js:18.0.3
-
cpe:2.3:a:nodejs:node.js:18.0.4
-
cpe:2.3:a:nodejs:node.js:18.0.5
-
cpe:2.3:a:nodejs:node.js:18.0.6
-
cpe:2.3:a:nodejs:node.js:18.1.0
-
cpe:2.3:a:nodejs:node.js:18.10.0
-
cpe:2.3:a:nodejs:node.js:18.11.0
-
cpe:2.3:a:nodejs:node.js:18.12.0
-
cpe:2.3:a:nodejs:node.js:18.12.1
-
cpe:2.3:a:nodejs:node.js:18.13.0
-
cpe:2.3:a:nodejs:node.js:18.14.0
-
cpe:2.3:a:nodejs:node.js:18.14.1
-
cpe:2.3:a:nodejs:node.js:18.14.2
-
cpe:2.3:a:nodejs:node.js:18.15.0
-
cpe:2.3:a:nodejs:node.js:18.16.0
-
cpe:2.3:a:nodejs:node.js:18.16.1
-
cpe:2.3:a:nodejs:node.js:18.17.0
-
cpe:2.3:a:nodejs:node.js:18.17.1
-
cpe:2.3:a:nodejs:node.js:18.18.0
-
cpe:2.3:a:nodejs:node.js:18.18.1
-
cpe:2.3:a:nodejs:node.js:18.2.0
-
cpe:2.3:a:nodejs:node.js:18.3.0
-
cpe:2.3:a:nodejs:node.js:18.4.0
-
cpe:2.3:a:nodejs:node.js:18.5.0
-
cpe:2.3:a:nodejs:node.js:18.6.0
-
cpe:2.3:a:nodejs:node.js:18.7.0
-
cpe:2.3:a:nodejs:node.js:18.8.0
-
cpe:2.3:a:nodejs:node.js:18.9.0
-
cpe:2.3:a:nodejs:node.js:18.9.1
-
cpe:2.3:a:nodejs:node.js:20.1.0
-
cpe:2.3:a:nodejs:node.js:20.2.0
-
cpe:2.3:a:nodejs:node.js:20.3.0
-
cpe:2.3:a:nodejs:node.js:20.3.1
-
cpe:2.3:a:nodejs:node.js:20.4.0
-
cpe:2.3:a:nodejs:node.js:20.5.0
-
cpe:2.3:a:nodejs:node.js:20.5.1
-
cpe:2.3:a:nodejs:node.js:20.6.0
-
cpe:2.3:a:nodejs:node.js:20.6.1
-
cpe:2.3:a:nodejs:node.js:20.7.0
-
cpe:2.3:a:nodejs:node.js:20.8.0
-
cpe:2.3:o:fedoraproject:fedora:37
-
cpe:2.3:o:fedoraproject:fedora:38
-
cpe:2.3:o:fedoraproject:fedora:39