Bug 2219829 (CVE-2023-30584) - CVE-2023-30584 nodejs: path traversal bypass in experimental permission model
Summary: CVE-2023-30584 nodejs: path traversal bypass in experimental permission model
Keywords:
Status: NEW
Alias: CVE-2023-30584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2220697 2220698 2220693 2220694 2220695 2220696 2220699 2220700 2220701 2220702 2220703 2220704
Blocks: 2217661
TreeView+ depends on / blocked
 
Reported: 2023-07-05 14:51 UTC by Dhananjay Arunesh
Modified: 2024-02-01 09:01 UTC (History)
3 users (show)

Fixed In Version: Node 20.3.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. This vulnerability affects all users using the experimental permission model in Node.js
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2023-07-05 14:51:53 UTC 
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.

References:
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-07-06 04:50:52 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2220698]
Affects: fedora-all [bug 2220696]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220695]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2220697]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220694]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220693]
Note You need to log in before you can comment on or make changes to this bug.