Bug 1216270 (CVE-2023-39331)

Summary: VUL-0: CVE-2023-39331: nodejs: Permission model improperly protects against path traversal
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dheidler
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381934/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39331:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-10-16 09:30:09 UTC 
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.x.
Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 2 OBSbugzilla Bot 2023-10-16 14:15:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1216270) was mentioned in
https://build.opensuse.org/request/show/1118025 Factory / nodejs20
Comment 5 Bruno Pitrus 2023-10-16 17:31:23 UTC 
Upstream claims this affects only Node 20. Electron uses Node 18. Removing myself from cc.
Comment 8 Carlos López 2024-05-30 18:52:42 UTC 
Done, closing.