Home > Vulnerability Database > CVE-2023-39332

Mend.io Vulnerability Database

CVE-2023-39332

Date: October 17, 2023

Various "node:fs" functions allow specifying paths as either strings or "Uint8Array" objects. In Node.js environments, the "Buffer" class extends the "Uint8Array" class. Node.js prevents path traversal through strings (see CVE-2023-30584) and "Buffer" objects (see CVE-2023-32004), but not through non-"Buffer" "Uint8Array" objects. This is distinct from CVE-2023-32004 which only referred to "Buffer" objects. However, the vulnerability follows the same pattern using "Uint8Array" instead of "Buffer". Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Language: JS

Severity Score

9.8

Related Resources (7)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

Url: https://hackerone.com/reports/2199818

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

Url: https://security.netapp.com/advisory/ntap-20231116-0009/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-39332

Url: https://www.mend.io/vulnerability-database/CVE-2023-39332

Severity Score

9.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-39332

Date: October 17, 2023

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?