Bug 1212577 (CVE-2023-30582)

Summary: VUL-0: CVE-2023-30582: nodejs20: fs.watchFile bypass in experimental permission model
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370078/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-21 11:46:33 UTC 
fs.watchFile bypass in experimental permission model (Medium) (CVE-2023-30582)

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Thanks to Colin Ihrig for reporting this vulnerability and to Rafael Gonzaga for fixing it.

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 OBSbugzilla Bot 2023-06-21 12:45:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1212577) was mentioned in
https://build.opensuse.org/request/show/1094364 Factory / nodejs20
Comment 5 Carlos López 2024-05-30 18:52:37 UTC 
Done, closing.