Bug 1212575 (CVE-2023-30584) - VUL-0: CVE-2023-30584: nodejs20: Path traversal bypass in experimental permission model
Summary: VUL-0: CVE-2023-30584: nodejs20: Path traversal bypass in experimental permis...
Status: RESOLVED FIXED
Alias: CVE-2023-30584
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370072/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-21 11:44 UTC by Robert Frohl
Modified: 2024-05-30 18:52 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-06-21 11:44:23 UTC 
Path traversal bypass in experimental permission model (High) (CVE-2023-30584)

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 OBSbugzilla Bot 2023-06-21 12:45:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1212575) was mentioned in
https://build.opensuse.org/request/show/1094364 Factory / nodejs20
Comment 2 Adam Majer 2023-08-04 15:11:13 UTC 
This should be fixed in all affected versions (nodejs20). Reassigning to security team for tracking
Comment 5 Carlos López 2024-05-30 18:52:35 UTC 
Done, closing.