CVE-2023-38552

CVE-2023-38552

Name

CVE-2023-38552

Description

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://hackerone.com/reports/2094235
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
	https://security.netapp.com/advisory/ntap-20231116-0013/
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20241108-0002/

Type

URI

MISC

https://hackerone.com/reports/2094235

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

https://security.netapp.com/advisory/ntap-20231116-0013/

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20241108-0002/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js::::::::`	nodejs	>= 20.1.0	<= 20.8.0
`cpe:2.3:a:nodejs:node.js::::::::`	nodejs	>= 18.0.0	<= 18.18.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*

nodejs

>= 20.1.0

<= 20.8.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*

nodejs

>= 18.0.0

<= 18.18.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs-current	edge-community	20.8.1-r0	psykose <alice@ayaya.deV>	fixed
nodejs-current	3.22-community	20.8.1-r0	None	fixed
nodejs-current	3.21-community	20.8.1-r0	None	fixed
nodejs-current	3.20-community	20.8.1-r0	None	fixed
nodejs-current	3.19-community	20.8.1-r0	None	fixed
nodejs-current	3.18-community	20.8.1-r0	Jose-Luis Rivas <ghostbar@riseup.net>	fixed
nodejs	edge-main	18.18.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	edge-main	18.18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.18.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.17.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.17.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.15.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.15.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.13.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.12.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.22-main	18.18.2-r0	None	fixed
nodejs	3.22-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.22-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.22-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.18.2-r0	None	fixed
nodejs	3.21-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.18.2-r0	None	fixed
nodejs	3.20-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.19-main	18.18.2-r0	None	fixed
nodejs	3.19-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.19-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.19-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.18-main	18.18.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	3.17-main	18.18.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

Source package

Branch

Version

Maintainer

Status

nodejs-current

edge-community

20.8.1-r0

psykose <alice@ayaya.deV>

fixed

nodejs-current

3.22-community