2230959 – (CVE-2023-32003) CVE-2023-32003 nodejs: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

Bug 2230959 (CVE-2023-32003) - CVE-2023-32003 nodejs: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

Summary: CVE-2023-32003 nodejs: fs.mkdtemp() and fs.mkdtempSync() are missing getValid...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-32003
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2233396
Blocks:	2230962
TreeView+	depends on / blocked

Reported:	2023-08-10 10:10 UTC by Mauro Matteo Cascella
Modified:	2023-08-23 15:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NodeJS. This security issue occurs as fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API, and the impact is a malicious actor could create an arbitrary directory.
Clone Of:
Environment:
Last Closed:	2023-08-10 15:15:18 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-08-10 10:10:26 UTC

fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. This vulnerability affects all users using the experimental permission model in Node.js 20.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003

Comment 1 Product Security DevOps Team 2023-08-10 15:15:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-32003

Comment 2 Sandipan Roy 2023-08-22 07:15:03 UTC

Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2233396]

Note You need to log in before you can comment on or make changes to this bug.