Bug 2244414 (CVE-2023-39332)

Summary: CVE-2023-39332 nodejs: path traversal through path stored in Uint8Array
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ericconley443, Hemonigranger, hhorak, jorton, nodejs-maint, tjuhasz, VetaEVega
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244460, 2244461, 2244452, 2244453, 2244454, 2244455, 2244456, 2244457, 2244458, 2244459, 2244462, 2244493, 2258564, 2258565    
Bug Blocks: 2244419    

Description Dhananjay Arunesh 2023-10-16 12:31:39 UTC 
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-10-16 14:26:13 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2244452]
Affects: fedora-37 [bug 2244459]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2244454]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2244456]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2244453]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244461]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244458]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244460]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2244455]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244457]
Comment 7 errata-xmlrpc 2023-11-14 16:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
Comment 8 Dhananjay Arunesh 2024-01-16 10:00:21 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2258564]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2258565]
Comment 10 Hemoni 2024-06-20 02:11:37 UTC 
It's amazing! Your article is very good and very useful to us! Thank you so much for taking the time to share with us! Have a good time with https://unoonlinegame.io free.
Comment 11 eric conley 2025-05-02 04:15:32 UTC 
I would like to confirm that CVE-2023-39332 has been addressed in Red Hat Enterprise Linux 8 via RHSA-2023:7205. For other affected platforms, such as Fedora and EPEL, the associated tracking bugs (e.g., Bug 2244452 for EPEL 7 and Bug 2244459 for Fedora 37) indicate that patches are being managed accordingly.- https://geekydane.com
Comment 12 TomasJuhasz 2025-05-05 09:02:18 UTC 
(In reply to eric conley from comment #11)
> I would like to confirm that CVE-2023-39332 has been addressed in Red Hat
> Enterprise Linux 8 via RHSA-2023:7205. For other affected platforms, such as
> Fedora and EPEL, the associated tracking bugs (e.g., Bug 2244452 for EPEL 7
> and Bug 2244459 for Fedora 37) indicate that patches are being managed
> accordingly.- https://geekydane.com

Hello,
The CVE-2023-39332 was fixed in nodejs version 20.8.1(https://nodejs.org/en/blog/vulnerability/october-2023-security-releases), which was then used by RHSA-2023:7205 as a re-base version.
Connected jira-ticket (https://issues.redhat.com/browse/RHEL-13856)
Comment 13 Madinem 2025-06-02 06:37:44 UTC 
CVE-2023-39332 was addressed in Node.js version 20.8.1 (see: Node.js Security Releases - October 2023), which subsequently served as the rebase version for RHSA-2023:7205.
Comment 14 Elizabeth E. Hall 2025-06-02 09:10:07 UTC Comment hidden (spam)