A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 09 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-284
CPEs cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*
Vendors & Products Nodejs
Nodejs nodejs
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Sat, 07 Sep 2024 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-09-07T16:00:35.978Z

Updated: 2024-09-26T15:03:03.244Z

Reserved: 2023-04-13T01:00:12.085Z

Link: CVE-2023-30582

cve-icon Vulnrichment

Updated: 2024-09-26T15:03:03.244Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-07T16:15:02.047

Modified: 2024-11-21T08:00:27.513

Link: CVE-2023-30582

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-06-20T00:00:00Z

Links: CVE-2023-30582 - Bugzilla