CVE-2023-32003

2023-08-1516:15:10

Alpine Linux Development Team

security.alpinelinux.org

node.js

fs.mkdtemp

path traversal

permission model

vulnerability

experimental feature

unix

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

31.8%

JSON

fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

OSVersionArchitecturePackageVersionFilename
Alpine3.15-mainnoarchnodejs= 16.20.2-r0UNKNOWN
Alpine3.16-mainnoarchnodejs= 16.20.2-r0UNKNOWN
Alpine3.18-mainnoarchnodejs= 18.20.1-r0UNKNOWN
Alpine3.17-mainnoarchnodejs= 18.20.1-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.15-main	noarch	nodejs	= 16.20.2-r0	UNKNOWN
Alpine	3.16-main	noarch	nodejs	= 16.20.2-r0	UNKNOWN
Alpine	3.18-main	noarch	nodejs	= 18.20.1-r0	UNKNOWN
Alpine	3.17-main	noarch	nodejs	= 18.20.1-r0	UNKNOWN