CVE-2023-32003

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-32003

CGA ID

CGA-ff88-fh23-r4cw

Severity

5.3

Medium

CVSS V3

Description

fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References

https://images.chainguard.dev/security/CGA-ff88-fh23-r4cw
https://github.com/advisories/GHSA-r874-ffh8-2fvj
https://security.netapp.com/advisory/ntap-20230915-0009/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/
https://hackerone.com/reports/2037887

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2023-32003

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources