Bug 1214153 (CVE-2023-32005)

Summary: VUL-0: CVE-2023-32005: nodejs: fs.statfs can retrive stats from files restricted by the Permission Model
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374915/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32005:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-10 12:07:11 UTC 
CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsstatfs-can-retrive-stats-from-files-restricted-by-the-permission-model-lowcve-2023-32005

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32005
https://bugzilla.redhat.com/show_bug.cgi?id=2230958
Comment 1 Carlos López 2023-08-10 12:48:00 UTC 
Just as CVE-2023-32003 / bsc#1214151, this should only affect
openSUSE:Factory/nodejs20.
Comment 2 OBSbugzilla Bot 2023-08-10 15:55:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1214153) was mentioned in
https://build.opensuse.org/request/show/1103349 Factory / nodejs20
Comment 5 Carlos López 2023-08-28 08:04:42 UTC 
Done, closing.