Vulnerability Details : CVE-2023-39331
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Vulnerability category: Directory traversal
Products affected by CVE-2023-39331
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39331
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39331
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.7
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.5
|
5.2
|
HackerOne | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
RedHat-CVE-2023-39331 |
CWE ids for CVE-2023-39331
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-39331
-
https://security.netapp.com/advisory/ntap-20231116-0009/
October 2023 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://hackerone.com/reports/2092852
Node.js | Report #2092852 - Permission model improperly protects against path traversal | HackerOneThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
[SECURITY] Fedora 37 Update: nodejs20-20.8.1-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
[SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38 - package-announce - Fedora Mailing-Lists
Jump to