VDB
CVE-2023-39331
CVE-2023-39331
PUBLISHED
CVSS 8.699999809265137 HIGH
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
EPSS 0.66% · 71.5th percentile
Risk Scores
CVSS 4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.66%
71.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node | 20.0.0 |
| Bitnami | node-min | 20.0.0, 20.0.0, 20.0.0 |
| Bitnami | node-min | 20.0.0 |
| Bitnami | node | 20.0.0, 20.0.0, 20.0.0 |
Exploit Intelligence
- Permission model improperly protects against path traversal in Node.js 20 (hackerone)
- Permission model improperly protects against path traversal (hackerone)
- Permission model improperly protects against path traversal in Node.js 20 (hackerone)
- Permission model improperly protects against path traversal (hackerone)
- Permission model improperly protects against path traversal in Node.js 20 (hackerone)
- Permission model improperly protects against path traversal (hackerone)
- https://hackerone.com/reports/2092852 (osv)
Timeline
- CVE Published
- Oct 13, 2023 PoC Published
- Oct 18, 2023 EPSS Score
- Nov 18, 2023 EPSS Score
- Nov 30, 2023 PoC Published
- Dec 19, 2023 EPSS Score
- Feb 20, 2024 EPSS Score
- Mar 22, 2024 EPSS Score
- Apr 22, 2024 EPSS Score
- May 23, 2024 EPSS Score
- Jun 24, 2024 EPSS Score
- Aug 25, 2024 EPSS Score