Bug 1214151 (CVE-2023-32003)

Summary: VUL-0: CVE-2023-32003: nodejs: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374916/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32003:8.2:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-10 12:04:50 UTC 
CVE-2023-32003

fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32003
https://bugzilla.redhat.com/show_bug.cgi?id=2230959
Comment 1 Carlos López 2023-08-10 12:41:39 UTC 
From what I gather the experimental permission model was introduced in version 20, so only openSUSE:Factory/nodejs20 would affected.
Comment 2 Adam Majer 2023-08-10 13:04:33 UTC 
(In reply to Carlos López from comment #1)
> From what I gather the experimental permission model was introduced in
> version 20, so only openSUSE:Factory/nodejs20 would affected.

It's been introduced some time ago, so initial parts of it were backported all the way to v12. But most of the bugs are only in the newer versions.
Comment 3 OBSbugzilla Bot 2023-08-10 15:55:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1214151) was mentioned in
https://build.opensuse.org/request/show/1103349 Factory / nodejs20
Comment 6 Carlos López 2023-08-28 08:05:18 UTC 
Done, closing.