CVE-2023-32003 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-32003 PUBLISHED CVSS 8.699999809265137 HIGH

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

EPSS 0.08% · 22.9th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS Score

0.08%

22.9th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node	20.0.0
Bitnami	node	20.0.0, 20.0.0, 20.0.0
Bitnami	node-min	20.0.0, 20.0.0, 20.0.0
Bitnami	node-min	20.0.0

Timeline

CVE Published
Aug 11, 2023 PoC Published
Aug 16, 2023 EPSS Score
Sep 18, 2023 EPSS Score
Oct 7, 2023 PoC Published
Oct 21, 2023 EPSS Score
Nov 22, 2023 EPSS Score
Jan 27, 2024 EPSS Score
Feb 29, 2024 EPSS Score
Apr 2, 2024 EPSS Score
May 4, 2024 EPSS Score
Jun 6, 2024 EPSS Score

References

Open in Interactive Console →