Published: 18/10/2023 Updated: 17/11/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs node.js
fedoraproject fedora 39

Synopsis Important: nodejs:20 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this upda ...

CWE-22 https://hackerone.com/reports/2199818 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/https://security.netapp.com/advisory/ntap-20231116-0009/https://access.redhat.com/errata/RHSA-2023:7205 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-39332

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect