VDB
CVE-2023-30586
CVE-2023-30586
PUBLISHED
CVSS 9.100000381469727 CRITICAL
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
EPSS 0.04% · 13.7th percentile
Risk Scores
CVSS v4.0
9.100000381469727
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.04%
13.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node | 20.0.0, 20.0.0, 20.0.0 |
| Bitnami | node | 20.0.0 |
| Bitnami | node-min | 20.0.0, 20.0.0, 20.0.0 |
| Bitnami | node-min | 20.0.0 |
Timeline
- CVE Published
- Jun 22, 2023 PoC Published
- Jul 1, 2023 EPSS Score
- Aug 5, 2023 EPSS Score
- Sep 9, 2023 EPSS Score
- Oct 7, 2023 PoC Published
- Oct 14, 2023 EPSS Score
- Nov 18, 2023 EPSS Score
- Dec 22, 2023 EPSS Score
- Jan 26, 2024 EPSS Score
- Mar 1, 2024 EPSS Score
- Apr 5, 2024 EPSS Score