Bugzilla – Bug 1214151
VUL-0: CVE-2023-32003: nodejs: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks
Last modified: 2023-10-27 10:10:56 UTC
CVE-2023-32003 fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20. Security Advisory: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32003 https://bugzilla.redhat.com/show_bug.cgi?id=2230959
From what I gather the experimental permission model was introduced in version 20, so only openSUSE:Factory/nodejs20 would affected.
(In reply to Carlos López from comment #1) > From what I gather the experimental permission model was introduced in > version 20, so only openSUSE:Factory/nodejs20 would affected. It's been introduced some time ago, so initial parts of it were backported all the way to v12. But most of the bugs are only in the newer versions.
This is an autogenerated message for OBS integration: This bug (1214151) was mentioned in https://build.opensuse.org/request/show/1103349 Factory / nodejs20
Done, closing.