PT-2023-6457 · Node.Js+7 · Node.Js+7

Tniessen

·

Publicado

2023-10-17

·

Atualizado

2024-12-16

·

CVE-2023-38552

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Node.js versions 18.x through 20.x
Description The issue arises when the Node.js policy feature checks the integrity of a resource against a trusted manifest. An application can intercept this operation and return a forged checksum to the node's policy implementation, effectively disabling the integrity check. This affects users of the experimental policy mechanism in active release lines.
Recommendations For Node.js versions 18.x through 20.x, consider disabling the experimental policy mechanism until a fix is available. As a temporary workaround, restrict access to the policy feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficient Verification of Data Authenticity

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-345

Identificadores relacionados

ALSA-2023:5849
ALSA-2023:5869
ALSA-2023:7205
ALT-PU-2023-6858
AZL-31614
BDU:2023-07176
BIT-NODE-2023-38552
BIT-NODE-MIN-2023-38552
CESA-2023_5869
CESA-2023_7205
CVE-2023-38552
DSA-5589-1
MGASA-2023-0299
OPENSUSE-SU-2023_4207-1
OPENSUSE-SU-2023_4373-1
OPENSUSE-SU-2023_4374-1
OPENSUSE-SU-2024:13337-1
OPENSUSE-SU-2024:13340-1
RHSA-2023:5849
RHSA-2023:5869
RHSA-2023:7205
RHSA-2023_5849
RHSA-2023_5869
RHSA-2023_7205
RLSA-2023:7205
SUSE-SU-2023:4132-1
SUSE-SU-2023:4133-1
SUSE-SU-2023:4150-1
SUSE-SU-2023:4155-1
SUSE-SU-2023:4207-1
SUSE-SU-2023:4259-1
SUSE-SU-2023:4373-1
SUSE-SU-2023:4374-1

Produtos afetados

Alt Linux
Almalinux
Centos
Node.Js
Red Hat
Red Os
Rocky Linux
Suse