CVE-2023-32005

MEDIUM Year: 2023
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-732
View all →

Vulnerability Description

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Related Vulnerabilities

CVE-2011-2515

MEDIUM
CVSS:5.3(Medium)

PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code.

CWE-7322011

CVE-2011-4912

MEDIUM
CVSS:5.3(Medium)

Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.

CWE-7322011

CVE-2016-11062

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.

CWE-7322016

CVE-2017-0423

MEDIUM
CVSS:5.3(Medium)

An elevation of privilege vulnerability in Bluetooth could enable a proximate attacker to manage access to documents on the device. This issue is rated as Moderate because it first requires exploitati...

CWE-7322017

CVE-2017-15906

MEDIUM
CVSS:5.3(Medium)

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

CWE-7322017

CVE-2017-16754

MEDIUM
CVSS:5.3(Medium)

Bolt before 3.3.6 does not properly restrict access to _profiler routes, related to EventListener/ProfilerListener.php and Provider/EventListenerServiceProvider.php.

CWE-7322017