1214153 – (CVE-2023-32005) VUL-0: CVE-2023-32005: nodejs: fs.statfs can retrive stats from files restricted by the Permission Model

Bug 1214153 (CVE-2023-32005) - VUL-0: CVE-2023-32005: nodejs: fs.statfs can retrive stats from files restricted by the Permission Model

Summary: VUL-0: CVE-2023-32005: nodejs: fs.statfs can retrive stats from files restric...

Status:	RESOLVED FIXED

Alias:	CVE-2023-32005

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/374915/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-32005:3.7:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-08-10 12:07 UTC by Carlos López
Modified:	2023-10-27 10:11 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2023-08-10 12:07:11 UTC

CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsstatfs-can-retrive-stats-from-files-restricted-by-the-permission-model-lowcve-2023-32005

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32005
https://bugzilla.redhat.com/show_bug.cgi?id=2230958

Comment 1 Carlos López 2023-08-10 12:48:00 UTC

Just as CVE-2023-32003 / bsc#1214151, this should only affect
openSUSE:Factory/nodejs20.

Comment 2 OBSbugzilla Bot 2023-08-10 15:55:07 UTC

This is an autogenerated message for OBS integration:
This bug (1214153) was mentioned in
https://build.opensuse.org/request/show/1103349 Factory / nodejs20

Comment 5 Carlos López 2023-08-28 08:04:42 UTC

Done, closing.