PT-2023-6457 · Node.Js+7 · Node.Js+7

Tniessen

Published

2023-10-17

Updated

2024-12-16

CVE-2023-38552

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 18.x through 20.x

Description The issue arises when the Node.js policy feature checks the integrity of a resource against a trusted manifest. An application can intercept this operation and return a forged checksum to the node's policy implementation, effectively disabling the integrity check. This affects users of the experimental policy mechanism in active release lines.

Recommendations For Node.js versions 18.x through 20.x, consider disabling the experimental policy mechanism until a fix is available. As a temporary workaround, restrict access to the policy feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

ALSA-2023:5849

ALSA-2023:5869

ALSA-2023:7205

ALT-PU-2023-6858

AZL-31614

BDU:2023-07176

BIT-NODE-2023-38552

BIT-NODE-MIN-2023-38552

CESA-2023_5869

CESA-2023_7205

CVE-2023-38552

DSA-5589-1

MGASA-2023-0299

OPENSUSE-SU-2023_4207-1

OPENSUSE-SU-2023_4373-1

OPENSUSE-SU-2023_4374-1

OPENSUSE-SU-2024:13337-1

OPENSUSE-SU-2024:13340-1

RHSA-2023:5849

RHSA-2023:5869

RHSA-2023:7205

RHSA-2023_5849

RHSA-2023_5869

RHSA-2023_7205

RLSA-2023:7205

SUSE-SU-2023:4132-1

SUSE-SU-2023:4133-1

SUSE-SU-2023:4150-1

SUSE-SU-2023:4155-1

SUSE-SU-2023:4207-1

SUSE-SU-2023:4259-1

SUSE-SU-2023:4373-1

SUSE-SU-2023:4374-1

Affected Products

Alt Linux

Almalinux

Centos

Node.Js

Red Hat

Red Os

Rocky Linux

Suse

PT-2023-6457 · Node.Js+7 · Node.Js+7

CVE-2023-38552

Weakness Enumeration

Related Identifiers

Affected Products

References · 102