fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 09 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-284
CPEs cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*
Vendors & Products Nodejs
Nodejs nodejs
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Sat, 07 Sep 2024 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in Node.js version 20, where fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob() API. fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-09-07T16:00:35.918Z

Updated: 2024-09-26T15:03:04.235Z

Reserved: 2023-04-13T01:00:12.085Z

Link: CVE-2023-30583

cve-icon Vulnrichment

Updated: 2024-09-26T15:03:04.235Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-07T16:15:02.117

Modified: 2024-11-21T08:00:27.697

Link: CVE-2023-30583

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-06-20T00:00:00Z

Links: CVE-2023-30583 - Bugzilla