A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 09 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Nodejs
Nodejs nodejs |
|
Weaknesses | CWE-284 | |
CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Nodejs
Nodejs nodejs |
|
Metrics |
cvssV3_1
|
ssvc
|
Sat, 07 Sep 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. | A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. |
References |
|
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-09-07T16:00:35.978Z
Updated: 2024-09-26T15:03:03.244Z
Reserved: 2023-04-13T01:00:12.085Z
Link: CVE-2023-30582
Vulnrichment
Updated: 2024-09-26T15:03:03.244Z
NVD
Status : Awaiting Analysis
Published: 2024-09-07T16:15:02.047
Modified: 2024-11-21T08:00:27.513
Link: CVE-2023-30582
Redhat