CVE-2023-32558 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-32558 PUBLISHED CVSS 8.699999809265137 HIGH

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

EPSS 0.19% · 41.1th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS Score

0.19%

41.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node	20.0.0, 20.0.0, 20.0.0
Bitnami	node-min	20.0.0, 20.0.0, 20.0.0
Bitnami	node-min	20.0.0
Bitnami	node	20.0.0

Timeline

CVE Published
Sep 10, 2023 PoC Published
Sep 12, 2023 EPSS Score
Oct 14, 2023 EPSS Score
Nov 15, 2023 EPSS Score
Jan 17, 2024 EPSS Score
Feb 18, 2024 EPSS Score
Mar 21, 2024 EPSS Score
Apr 22, 2024 EPSS Score
Jun 25, 2024 EPSS Score
Jul 27, 2024 EPSS Score
Aug 27, 2024 EPSS Score

References

Open in Interactive Console →