Bug 1214152 (CVE-2023-32004)

Summary: VUL-0: CVE-2023-32004: nodejs: Permission model bypass by specifying a path traversal sequence in a Buffer
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374908/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32004:7.1:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-10 12:06:01 UTC 
CVE-2023-32004

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permission-model-bypass-by-specifying-a-path-traversal-sequence-in-a-buffer-highcve-2023-32004

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32004
https://bugzilla.redhat.com/show_bug.cgi?id=2230951
Comment 1 Carlos López 2023-08-10 12:43:22 UTC 
Just as CVE-2023-32003 / bsc#1214151, this should only affect openSUSE:Factory/nodejs20.
Comment 2 OBSbugzilla Bot 2023-08-10 15:55:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1214152) was mentioned in
https://build.opensuse.org/request/show/1103349 Factory / nodejs20
Comment 5 Carlos López 2023-08-28 08:04:12 UTC 
Done, closing.